Are All Risks Created Equal? Rethinking the Distinction between Legal and Business Risk in Corporate Law

Should corporate legal risk be treated similarly to corporate business risks? Currently, the law draws a clear-cut distinction between the two sources of risk, permitting the latter type of risk and banning the former. Business decisions, risky though they may be, fall under the duty of care and as long as they do not involve a conflict of interest, are judged under the deferential business judgment rule. Furthermore, companies can grant directors and officers exemptions from liability for negligent violations of the duty of care, as well as insure them against personal liability in such cases. Decisions that violate the law, by contrast, constitute a violation of the duty of loyalty (or an independent duty of good faith – Cede & Co. v. Techinicolor, Inc.), and hence, they are not entitled to the deferential standard of the business judgment rule. This distinction has been especially emphasized in the context of violations of oversight duty, willing to impose liability in case of the latter, but not in former (Chancellor Chandler in in re Citigroup; Pollman, 2019).

As a consequence of this distinction, corporate managements can take on high business risks, but must steer clear of decisions and policies that involve minimal legal risks, even when the potential rewards are very high. As a result, fiduciaries are shielded from personal liability in the case of business risk and are entirely exposed to civil and criminal liability that arises from legal risk taking. As corporate law theorists have underscored, the differential treatment of business and legal risk is highly problematic from the perspective of firms and shareholders (Bainbridge, 2008; Pollman, 2019). To begin with, legal risk cannot be completely averted or eliminated. More importantly, decisions involving negligible levels of legal risk might yield significant profits for firms. Thus, the outright ban on legal risk-taking harms shareholders, who would have favored a more nuanced regime to legal risk. From the shareholder point of view, there is no justification to differentiate between two similar patterns of risk, with up sides and down sides with the same magnitude and probabilities, based on the source of risk. Shareholders should be agnostic to the source of risk in of itself.

In this paper we make two novel contributions to corporate law scholarship, one descriptive and one normative. Descriptively, we offer a novel justification for the puzzle of the differential treatment of business and legal risk. We argue that because of the exposure of board members to personal liability for losses resulting from legal risk, they will veto all policies and decisions implicating legal risk, minimal though they may be. Analysis of legal risk may constitute evidence of scienter and thus heighten the exposure of directors to legal sanctions.

Aware of this disposition, managers, whose compensation is often tied to performance and are therefore more risk-seeking, will prefer not to raise policies and decisions that implicate legal risk to board discussion. This, however, works to the detriment of shareholders who are deprived of the protective mechanism of board overview with respect to legal risk. Legal risks, therefore, largely escape board scrutiny. While the justification we advance has stronger explanatory power than prior justifications, it leaves open the possibility that the law may be redesigned in a more nuanced and desirable way. This leads to the normative contribution of the paper. Consistent with the modern philosophy toward risk which maintains that all risks can be managed and following the traditional distinction in criminal law, we propose that legal risks be divided into two categories of severity: risks involving prohibitions that fall into the category of mala in se—inherently wrong, and prohibitions that fall into the category of mala in prohobita—actions which are impermissible but not inherently wrong. For instance, theft in considered a moral wrong independent of the legal prohibition. In contrast, reporting violations and not deemed immoral per-se.

Legal risks should then be further classified based on its probability of occurrence, into three classes of risk: remote, reasonable and probable risk. This distinction is no stranger to corporate law. The Generally Accepted Accounting Principles (GAAP) that have been endorsed by SEC regulations clearly distinguish between “remote” risks of loss that need not be included in financial reports, and reasonable and likely risks of loss that ought to be reported. Although the GAAP do not provide precise numerical values for each category, in practice, a “remote” risk is deemed as a risk whose probability of occurring and inflicting a loss on the corporation is 0.3 or lower, a “reasonable” risk is associated with a probability that is higher than 0.3 but lower than 0.7, and a probable risk is one whose likelihood of eventuating is 0.7 or higher. We do introduce one important modification into the GAAP. Since we believe that any risk whose likelihood of occurring is higher than 0.5 is not reasonable, for the purpose of our analysis we define reasonable risk as one whose probability of occurring is between 0.3 and 0.5, and any risk that falls in the range of 0.5 and 1 as probable (Deloitte, 2019).

Combining our two criteria generates six classes of legal risks, for each of which we develop a unique liability regime. In this vein, we suggest a distinction between potential mala in se violations, which typically involve criminal prohibitions and possible mala prohobita violations, which typically invovle administrative norms. In the former case of risks that may lead to a criminal violation, boards and officers would only be allowed to consider remote legal risks, i.e., courses of action that are highly unlikely to violate the law. In the latter case that involves potential violations of administrative rules and regulations, directors and officers would be allowed to consider both remote and reasonable risks, i.e., courses of action that do not represent a probable likelihood of breaking the law. Importantly, our proposal submits that different levels of risk-taking will be subject to differential liability regimes matching the level of the risk involved in the decision. Furthermore, it would require corporate fiduciaries to provide external validation of their risk assessment.

The risk level and the supporting evidence will determine the applicable judicial review standard. If the management and board are in possession of an administrative pre-ruling that affirms the legality of the decision, the decision would be immune to judicial review. If the management and board relied on an expert opinion stating that there is only a remote risk of illegality, courts will review the substance of the opinion to ensure that it is well-grounded. Finally, if the expert opinion on which the directors and officers relied states that their legal risk was reasonable (but not probable), it will be subject to enhanced scrutiny, under which the directors and officers will bear the burden of showing that the risk they chose to take was reasonable and that the expected benefits exceeded the potential harm.

The adoption of our proposed framework would transform the way courts and corporations approach legal risk from outright disapproval to qualified sanctioning. And although implementation of our proposal would not place business risk and legal risk on equal footing, it would allow managers and officers to openly weigh and consider business strategies that involve an acceptable level of legal risk

The complete paper is available for download here.