Oversight and Compliance Reminder

Two recent developments in civil and criminal law highlight the importance of active, engaged board oversight in the areas of risk and compliance. The first is a Delaware Supreme Court decision allowing plaintiffs to proceed with a Caremark claim, and the second is a memorandum released by the Criminal Division of the U.S. Department of Justice noting the role of the board in ensuring that compliance programs are implemented effectively. While the Delaware case sends a warning message to directors, the DOJ memorandum provides guidance for directors as they work to fulfill their oversight responsibilities.

Marchand v. Barnhill

In June, the Delaware Supreme Court reversed a Court of Chancery decision and allowed plaintiffs to proceed with a lawsuit alleging that the board of directors of Blue Bell Creameries had breached its Caremark duties. In reaching such a determination, the Supreme Court noted that “Caremark claims are difficult to plead and ultimately to prove out … [T]o satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it.” While Marchand v. Barnhill does not signal a change in Delaware law, it serves as a cautionary reminder to directors that oversight requires active, ongoing engagement.

Recognizing that the holding in Marchand v. Barnhill is fact-specific, nonetheless the takeaway applies to all public companies: Directors must identify key business risks, establish a system of board-level compliance monitoring and reporting to oversee the management of these risks, and make a good faith effort to ensure that the system is working effectively. The Supreme Court stated:

In sum, the complaint supports an inference that no system of board-level compliance monitoring and reporting existed at Blue Bell. Although Caremark is a tough standard for plaintiffs to meet, the plaintiff has met it here. When a plaintiff can plead an inference that a board has undertaken no efforts to make sure it is informed of a compliance issue intrinsically critical to the company’s business operation, then that supports an inference that the board has not made the good faith effort that Caremark requires.

Therefore, boards would be wise to regularly review the effectiveness of the company’s risk management efforts, on a quarterly or semi-annual basis. Under Caremark, a board has broad flexibility to establish monitoring and reporting protocols that are suited to the business and the company, but it must establish some such protocols, and it must try to make sure they are effective.

Another lesson from Marchand v. Barnhill is that corporate minutes should reflect the board’s oversight efforts. Documentation should be created showing the existence of reporting protocols, reports of issues that arise, the actions taken to address known risks or deficiencies, and periodic pressure testing by the board. To the extent that board committees are utilized in oversight efforts, the reviews and the record keeping could be undertaken by the relevant committee (generally either the audit committee or, if one exists, the risk management committee) with the board minutes referencing the reports of the relevant committee to the full board and the review by the full board of committee minutes and materials. Vague and generalized language in board or committee minutes may not be sufficient, as the lack of detail may be interpreted as evidence that the board did not make a good faith effort towards oversight. That said, board minutes and other corporate records should be drafted or reviewed by counsel to ensure that no privileged information will be disclosed if these documents are produced in discovery during a future litigation.

DOJ Memorandum

In a memorandum released in April, the Department of Justice provided guidance regarding corporate compliance. While the memorandum is extensive and primarily directed toward senior and middle management, it contains important guidance for boards as well. The board of directors sets the tone for the entire corporation, and the board should promulgate its ethical standards clearly at all levels of the company. Actions as well as words are necessary: When prosecutors are evaluating corporate compliance programs, they will consider whether those responsible for compliance have been empowered through sufficient status, resources, and autonomy. Autonomy may include direct access to the board of directors or a board committee, such as the audit committee.

In an investigation into corporate misconduct, the DOJ memorandum suggests that one of the first questions prosecutors will ask is what, if any, compliance expertise has been available to the board. They may consider whether the board has held executive sessions with compliance leaders within the company and may inquire as to what types of information the board has examined in its exercise of the oversight function. Key questions will be what types of issues have been reported to the board, and how the board and management have addressed them. Documentation as to board discussions and decisions will be necessary to show that the board has been diligent in fulfilling its oversight responsibilities.

The court in Marchand v. Barnhill stated that nominal corporate compliance with applicable regulations is not adequate to satisfy a board’s oversight obligations. The plaintiff in that case used Blue Bell’s corporate books and records to support a fair inference that “no reasonable compliance system and protocols were established as to the obviously most central consumer safety and legal compliance issue facing the company.” (As the company made only one product, ice cream, a key business risk was food safety.) Among the items cited to support this inference were the lack of a board committee tasked with oversight of food safety; the lack of a regular process requiring management to report to the board on food safety; the lack of a schedule for the board to consider food safety risks on a regular basis; and the lack of any mention in the board minutes of reports of food safety concerns that had been received by management during a key time period. While board committees may be an element of an effective oversight function, Marchand v. Barnhill should not be read as requiring that each company have a committee in place to monitor specific risks. In fact, significant risks are often addressed directly with the full board and, assuming the provision of appropriate information and active engagement by board members, that approach should be sufficient in most situations.

Board Oversight Today

As the Delaware case and the DOJ guidance make very clear, risk assessment is the primary starting point for any evaluation—internal or external—as to whether a company has effective oversight and compliance programs. It is the job of the board to identify key business risks and implement a program reasonably designed to produce the information needed to oversee and assess risk management and compliance. The program requires continuous monitoring and updating, and for the protection of the board and the company, each step of the oversight process should be carefully documented in minutes and corporate records.

Boards may find it useful to engage experts to help identify and assess business risks. Experts also may be able to help develop systems to enable the board to monitor and evaluate these risks on an ongoing basis. In a large and multifaceted business, it may be helpful for the board to seek external assistance in narrowing its areas of focus in order to use its time effectively. Boards cannot, nor are they required to, oversee corporate compliance in every respect. The goal is to implement a system in which management will report to the board regarding deficiencies that significantly threaten the enterprise, thereby providing directors with the opportunity and information needed to respond accordingly. A board that seeks the advice of qualified experts will gain some protection for their business decisions made in good faith.

Ultimately, sound corporate governance and active oversight can minimize the risk of lawsuits and criminal investigations. While Marchand v. Barnhill and the DOJ guidance memorandum do not change the landscape of liability, they serve as powerful reminders that oversight today is an active, not a passive, undertaking.