Takeaways

• Delaware courts have become more willing to allow stockholders to pursue claims that directors breached their duty to oversee risk management and compliance.
• Directors are most vulnerable to suits where they have not established oversight processes for monitoring risks in “mission critical” aspects of the business or where “red flags” arguably should have alerted the board to looming problems.
• Boards need to ensure that they are devoting enough attention to risks and compliance and carefully document their oversight efforts.

Directors’ fiduciary duty of loyalty to the company and its stockholders includes a duty to oversee the company’s operations. That, in turn, includes an obligation to take reasonable measures to implement and oversee risk management and compliance controls. Where a board fails to do this, directors may be vulnerable to lawsuits by stockholders. In Delaware, whose law governs most large American corporations, these are known as Caremark claims.

Historically, these kinds of suits have been very difficult to maintain because they require that plaintiffs show bad faith on the board’s part. And a bad outcome does not suffice to show bad faith.

Nonetheless, over the past several years, Delaware courts have allowed an increasing number of Caremark claims to survive a motion to dismiss and proceed to discovery. In these cases, the stockholder plaintiff adequately alleged a lack of corporate control systems or the existence of “red flags” suggesting improper oversight. As a recent decision put it, Caremark claims, “once rarities … have in recent years bloomed like dandelions after a warm spring rain.”

Boards need to take these recent rulings into account in considering how to oversee their companies’ risk management and compliance.

What the Duty of Oversight Entails

The 1996 Caremark case that gave its name to these claims held that a director’s duty of loyalty requires directors to implement and monitor risk oversight processes. To prevail in a suit against directors for breach of this duty, a plaintiff must prove that directors were not just negligent, but acted in bad faith — that they either (a) “utterly failed to implement any reporting or information system or controls” (the “first prong”) or (b) “having implemented such a system or controls, … consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention” (the “second prong”).

Bad faith requires that directors intended to do harm, consciously disregarded their responsibilities or failed to act in the face of a known duty to do so.

That is a high hurdle for plaintiffs, and no Caremark claim has ever even gone to trial. But in recent years stockholders have utilized their rights to inspect corporate books and records more frequently, and in a growing number of Caremark cases, they have drawn on that internal information to allege bad faith with enough detail to survive a motion to dismiss.

Delegate Responsibility to Management But Exercise Oversight

Delaware law recognizes that directors are not involved in the day-to-day management of their companies and protects them when they rely in good faith on information provided by officers and employees, among others. However, the board still has to be involved, and must take reasonable steps to establish a compliance system (the first prong of Caremark) and then must monitor that system (the second prong). “Caremark envisions some degree of board-level monitoring system, not blind deference to and complete dependence on management,” as one Delaware decision put it recently.

Just where to draw that line is the issue at the core of recent Caremark cases, as we will explain.

Inadequate Control Systems (First Prong)

In several recent suits, the stockholder plaintiff was allowed to proceed with its claims where it alleged in some detail that a board acted in bad faith and violated its duty of oversight by failing to establish a committee or other system to monitor “mission critical” risks at the board level in monoline companies. For example:

• An ice cream company’s board faced potential Caremark liability after a listeria outbreak, when a stockholder plaintiff alleged that directors failed to implement any system to monitor the company’s food safety performance or compliance
• An oversight claim against Boeing’s board relating to the 2018 and 2019 crashes of the company’s newly released 737 MAX aircraft survived a motion to dismiss. There the plaintiff alleged that the board did not monitor, discuss or address airplane safety on a regular basis; had no process or protocols for receiving safety updates from management; never received information on red flags observed by management; and made statements suggesting an awareness of the need for such safety-monitoring systems and procedures.

By contrast, cases have been dismissed where there was a record of conscientious board oversight:

• In June 2022, the Delaware Court of Chancery dismissed Caremark claims where a board formed a committee “to oversee and report on safety policies, practices, and performance” that met five times a year to receive “extensive reports” from senior management, and safety risks were regularly reported to the board.
• Caremark claims were dismissed in another case when the board received annual risk assessment reports, its audit committee was “routinely apprised” of cybersecurity risks and the company engaged outside consultants and auditors to address its risk profile.

Again, a bad outcome does not demonstrate bad faith. Delaware courts have acknowledged that “the directors’ good faith exercise of oversight responsibility may not invariably prevent employees from violating criminal laws, or from causing the corporation to incur significant financial liability, or both.” Instead, the legal question is “whether the board made a good faith effort to put in place a reasonable board-level system.”

“Red Flags” (Second Prong)

The second way that a plaintiff can adequately plead a Caremark claim is to allege that a company’s board ignored specific “red flags” that suggested misconduct or malfeasance at the company.

• The Boeing case provides a particularly salient example. There the court found that the crash was a clear “red flag,” but “rather than investigating the safety of the aircraft and the adequacy of the certification process,” the board “treated the crash as an ‘anomaly,’ a public relations problem, and a litigation risk.”
• In another recent case that the court refused to dismiss, a stockholder plaintiff alleged that a pharmaceutical company’s directors knew that management was incorrectly reporting results from a critical clinical trial. The court cited the fact that the board included industry experts who were familiar with regulatory requirements governing the drug trial.

Other examples of “red flags” have included lawsuits alleging illegal corporate conduct, known compliance issues regarding regulations or internal protocols, and employee reports suggestive of risks or deficiencies inherent to the company’s operations. In one recent case, the Court of Chancery suggested that the board should also monitor and consider “red flags” from sources outside the company, such as a stockholder’s litigation demand letter.

Even with some evidence of “red flags” that were not identified as such, it can be an uphill struggle for plaintiffs. The board must have “consciously overlooked or failed to address them.” And not every indication of a potential problem is a “red flag” worthy of a board-level reaction.

• In one recent case, a board was informed that the Federal Trade Commission had opened an investigation into consumer complaints, and the board was aware that the frequency of such complaints had increased. But the court found that this was not a “red flag” that put the board on notice of illegal activity, because the complaints and investigation did not establish that the company had violated consumer protection laws.
• Caremark claims were dismissed in another case where the board was aware of litigation alleging that the company had broken the law, but determined in good faith to “allow the … litigation to play out prior to making any determinations regarding the remediation of the underlying alleged illegal conduct.”

Fulfilling the Board’s Oversight Obligations

It is hard to draw clear-cut rules based on the litigation to date. But they point to steps boards can take to reduce the risk of a Caremark claim, or at least to be positioned to knock out a complaint on a motion to dismiss instead of being subjected to the time-consuming and expensive process of discovery and trial.

• Take good-faith steps to establish monitoring and compliance systems and pay ongoing attention to them. This might require consultation with legal counsel and other experts to identify where risks may arise and how best to monitor them.
• Pay particular attention to “mission critical” issues. This might involve providing for regular reports into such issues, or setting up a board committee empowered to monitor the company’s most material risks and regularly report to the full board.
• Discuss with advisers the issues on which the board should receive regular reports and identify what “red flags” may be for the particular business.
• Given stockholders’ increasingly frequent demands to inspect corporate books and records, boards should document their efforts in sufficient detail to demonstrate the attention they have paid to understanding and overseeing risk and compliance systems and responding to any issues that arise.