Potentially Unfinished Leadership Business from the McDonald’s Decisions

With the benefit of a half-year of hindsight, it is worthwhile to confirm the compliance and risk-related lessons arising from the two recent. Delaware decisions addressing the McDonald’s workforce culture controversy.[1] For notwithstanding their technical Caremark guidance,[2] it has become clear over time that these decisions offer very practical lessons for corporate leadership as to their oversight and decision-making duties

Implementing major fiduciary duty lessons often comes slowly to organizations, especially when they have compliance and risk overtones. But as to McDonald’s, it’s not too late to put those lessons into practice.

Background

As most corporate governance observers are aware, these decisions (both arising from a derivative complaint) addressed and clarified the application of the duty of oversight obligation initially articulated in the prominent Caremark decision.

As modified by Delaware courts over the years, Caremark has established a standard for director liability based on two distinct claims; i.e., that the directors either (a) “utterly failed to implement any reporting or information system or controls” [to facilitate board oversight] (the so-called “Information Systems Claim”) or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention” (the so-called “Red Flags Claim”).

The two related McDonald’s decisions, issued earlier this year, combine to make two fundamental refinements to the Caremark standard.  The first of these refinements is that corporate officers owe a fiduciary duty of oversight as to matters within their areas of responsibility.  The second of these refinements is that the information reporting system required by Caremark should focus on the “central compliance risks” of the organization, and not just on its “mission critical risks”.

The Ripple Effect

Given Caremark’s broad influence on compliance and risk, these two refinements are having a notable “ripple effect” on how corporate leadership approaches risk identification, evaluation and response; especially in the context of the current litigation and regulatory enforcement environments.  This ripple effect is manifesting itself in the following risk elements, among others:

The Designation of Officers:  Corporate titles are now assuming more significance than before.  For purposes of fiduciary duties in general and the duty of oversight in particular, it now makes a greater difference as to who is identified as a corporate officer-whether administratively, in the corporate bylaws or even in the minutes of board meetings.  State corporation laws defining “officer” may become a useful resource in this regard.  Efforts by senior corporate executives to avoid the officer designation in order to avoid the imposition fiduciary duties would likely prove unsuccessful.

The “Why” as it Relates to Officers:  Education is becoming more important.  In order to enhance oversight compliance, it may be necessary to explain to leadership in lay terms the Chancery Court’s rationale for extending fiduciary responsibilities to the corporate officer cadre; e.g. that:

“[m]onitoring and strategy are not exclusively the dominion of the board…nondirector officers may have a greater capacity to make oversight and strategic decisions on a day-to-day basis.”

It’s About Both Prongs:  Corporate officers should understand that their obligations extend to both prongs of the Caremark standard.  As to the “information reporting system obligation,” the Chancery Court described as an “indispensable part of an officer’s job” the responsibility to gather relevant information and provide timely reports to the board about the officer’s area of responsibility.

The Court was very clear that the “red flags obligation” also applies to officers as well as directors.  As the “day-to-day” managers of the corporation, a critical part of an officer’s job is to identify red flags, and either deal with them directly or report them “up the ladder” to the board.  Officers “are far more able to spot problems than part time directors who meet a handful of times a year.”  Given that officers are “running the business on a full time basis”, it’s appropriate that they have a duty to either address, or report upwards, what they see.

Sentencing Guidelines Connection:  Corporate officers may be somewhat mollified by the consistency between their own new reporting obligations, and their pre-existing obligations for positioning the corporation to receive credit under the Federal Sentencing Guidelines for having in place an “effective” compliance plan.  The Chancery Court specifically noted that the steps necessary to meet the expectations of the Guidelines extend beyond the board.  They call for executive officers to assume overall responsibility for the compliance and ethics program undertake specific compliance and oversight obligations.

What’s Called For:  Officers will be expected to make a good faith effort to implement an information system that will provide both the board and management with information that enables them both to make informed judgments on organizational compliance and business performance.  In other words, it’s not just the board that needs actionable information-the management team does as well.  For that reason, it may be necessary for corporate officers to revisit current expectations regarding reporting up obligations of employees within their work area.

Their “Scope of Responsibility”:  Application of the new McDonald’s oversight duties as to information systems and to reporting “red flags” will be context-driven; i.e., applicable only to the officer’s specific area of responsibility.  As the Chancery Court noted, some officers (e.g., the CEO and the Chief Compliance Officer) likely will have company-wide oversight portfolios.  Other officers (e.g., the CFO and the CLO) may have a more constrained version of those duties.

One of the most challenging aspects of McDonald’s implementation will thus be confirming the scope of officers’ corporate responsibilities for oversight purposes.  These officers will likely want to know how that responsibility is distinguishable from the responsibility to support the organization’s corporate compliance plan.

Defining “Red Flag”:  One of the more obvious questions that officers and directors might ask following McDonald’s is what exactly constitutes a “red flag” for oversight purposes.[3]  And the problem is there isn’t a universally accepted definition.  It’s certainly more than simply bad news.  Some knowledgeable observers would define a red flag as “information that alone or in combination with other known information presents the board with an immediately known duty to act”.

In the context of this definition, information that is “assertively bad” won’t necessarily constitute a red flag “because each drip only adds a drop to the bucket with little warning of the deluge on its way”.

“Central Compliance Risks”:  The second of the two McDonald’s decisions clarifies that the information system reporting obligation relates to the “central compliance risks” of the corporation, not to the more narrow concept of “mission critical risks” as first introduced in the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill.[4]

Neither the Marchand decision, nor any subsequent Delaware decision, has provided a specific definition of “central compliance risks”.  We know from Marchand that mere management-to- board reports on the company’s general operations aren’t generally sufficient to constitute a Caremark-effective monitoring system.  We also know from McDonald’s that all “essential and mission critical risks” qualify as central compliance risks, but also that some central compliance risks may rise to the level of “essential and mission critical risks”.

Until that definitional void is clarified, it may be best for officers and other managers to rely on the organization’s reporting standards under its established corporate compliance program for guidance on how best to respond to information system reporting obligations within an officer’s scope of responsibility.

The Role of Bad Faith:  The McDonald’s decisions also clarify the role of “bad faith” in the context of a Caremark claim.  For example, bad faith can be inferred from directors’ (and now officers as well?) failure to make any effort to establish an information system to address central compliance risks.  Yet apart from central compliance risks, “a plaintiff will have difficulty rebutting the business judgment rule where officers or directors have made a good faith decision regarding the level of monitoring resources, if any, to assign to a risk.”

But bad faith is applied differently in the context of the “red flags” obligation.  In that situation, bad faith is necessary to overcome the presumption of the business judgment rule as applied to an officer or director’s decision on how to respond to a red flag.  It is easier to draw an inference of bad faith if the red flag concerns a central compliance risk, and the inference becomes stronger when the red flag concerns an essential or mission critical risk.  That notwithstanding, sustaining a red flag claim is not dependent on evidence of an essential or mission critical risk.

These are, of course, complicated distinctions that will need to be carefully explained to executive level officers.

The Department of Justice Connection

The fiduciary implications of the McDonald’s decisions can’t fully be evaluated without considering the significant corporate compliance-related measures adopted by the Department of Justice (“DOJ”) over the last year.[5]

These measures include (i) a vigorous and overarching commitment to corporate fraud enforcement and to the principles of individual accountability; (ii) material revisions to DOJ’s corporate enforcement policy; (iii) the adoption of a new voluntary self-disclosure policy, offering several “new, significant and concrete incentives” for companies to self-disclose identified corporate misconduct to the government; (iv) a new policy intended to incentivize compliance-promoting behavior through innovative approaches to executive compensation and the use of clawbacks; and (v) corresponding changes to DOJ’s Evaluation of Corporate Compliance Programs (ECCP) guidelines.

The totality of these new compliance policies and initiatives sends corporate leadership a clear signal concerning DOJ’s commitment to corporate fraud enforcement, individual accountability, and establishing “the right incentives to promote and support a culture of corporate compliance.”  It is a signal that should fairly be considered when implementing refinements to corporate information reporting systems in response to the McDonald’s decisions.

Summary

Given the passage of time, the practical risk and compliance implications of the January and March decisions in the McDonald’s stockholder derivative litigation have become more clear, especially as they relate to non-director corporate officers.  These implications can now be viewed as affecting the identification, reporting and evaluation of risks within the organizational hierarchy.

With a this in mind, there is value in assuring before year’s end that both corporate officers, and directors, are familiar with these critical refinements to the Caremark doctrine as it relates to their particular positions in the organizational hierarchy.  The Chief Legal Officer, perhaps teaming with the Chief Compliance Officer, are the logical corporate officers to assist in this regard.

[1] In re McDonald’s Corp. Stockholder Derivative Litig., C.A. No. 2021-0324-JTL (January 25, 2023);

In re McDonald’s Corp. Stockholder Derivative Litig., C.A. No. 2021-0324-JT (March 1, 2023).

[2] In re Caremark International, Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).

[3] Mark J. Gentile and Joseph L. Christensen, “In re Citigroup: The Birth Announcement and Obituary of the Duty of Business Performance Oversight”; Bloomberg Law Reports-Corporate Law Vol. 3 no. 19 (2009 Bloomberg Finance L.P.)

[4] Delaware Supreme Court 212 A.3d 805 (2019).

[5] See, e.g., Deputy Attorney General Lisa Monaco Delivers Remarks at American Bar Association National Institute on White Collar Crime, DOJ (March 2, 2023) https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-remarks-american-bar-association-national