A significant emerging governance issue is how best to monitor – and influence – the management style of senior executives who by nature are insensitive to the risks of their initiatives. As recent controversies across multiple industry sectors confirm, such insensitivity can lead to extraordinary legal, accounting and reputational crises for the organization.

The issue extends beyond the chief executive officer to other senior officers (e.g., the chief operating officer, the chief financial officer, the chief information officer) with significant organizational portfolios and the authority to implement strategic initiatives. Their potential insensitivity to risk can similarly trigger enterprise-level concerns.

The attentive board (or its audit committee) is often in the best position to identify and address this concern. Its resolution can reconcile the risk-oversight role ascribed to boards by courts and best-practices compilations with the daily risk-management responsibilities of senior executives. The general counsel, with her fundamental professional responsibility obligations, should be an important participant in any related dialogue.

The Profile

It is important to recognize the fundamental distinction between an Unethical CEO and a Risk Insensitive Executive. Studies indicate that the former is often driven by narcissism, including self-aggrandizement, and a willingness to pursue personal gain at the expense of the organization and its constituents.[1]  The latter, on the other hand, usually has a strong sense of ethics and is committed to the organization, its business goals and its constituents.

Experience suggests that the Risk Insensitive Executive is often self-confident and emboldened by sustained business success. This makes him more willing than his peers to confront regulators when he believes the organization’s position is justifiable. He does not, however, ascribe a high value to the role of lawyers and is unlikely to include the general counsel as a core member of the leadership team. He will seek advice not only on the legality of particular conduct, but also on the risk of an enforcement action with respect to such conduct. He is willing to take extreme measures when business goals warrant them. Yet he understands what “we can’t do this” means.

Some such executives are more passive or indirect in their risk insensitivity. While not aggressive by nature, they typically have not worked closely with risk or compliance programs. As a result, they may be less capable of identifying – and responding to – significant risks. This may be the result of willful blindness or an overly optimistic leadership culture that minimizes problems when brought to executives’ attention.[2]

The Problem

The problems that a Risk Insensitive Executive can create – often unintentionally – are many and varied. Perhaps the most obvious is a business arrangement, transaction or strategy whose risk exceeds what business judgment would support. Of similar concern would be the adoption of a corporate strategy or policy that would potentially cause significant harm to the corporation’s reputation, aside from any legal concerns.

More discreet concerns include executive-driven (i) decreases in legal and compliance budgets; (ii) limitations on the ability of legal, compliance, and other risk managers to interact with key board committees; (iii) decentralized organizational structures that unintentionally promote the siloing of risk; (iv) reductions in the meeting frequency of risk-related committees, and of executive sessions; and (v) of course, significant conflicts between corporate culture and compensation incentives or job promotion standards.

And then there are those situations where executive aggressiveness steps right up to or on the line between legal compliance and noncompliance. Recently, New York Mayor Bill De Blasio was cleared by federal and state prosecutors of any criminal violations of election campaign fundraising laws. However, in an extraordinary action, the Manhattan district attorney noted publicly that his decision not to charge the mayor “was not an endorsement of the conduct at issue.”[3] The district attorney went further, commenting that the fundraising transactions at issue appeared “contrary to the spirit of the laws… meant to prevent corruption and the appearance of corruption.”

Imagine, for a moment, if DeBlasio was the CEO of a major corporation rather than the mayor of New York, answerable to a board of directors rather than an electorate. How would a board respond to an otherwise successful CEO who was so publicly chastised for his conduct by a prosecutor? What would be the damage to the corporation’s reputation and brand? And how can a board be alerted to a senior executive whose conduct violates the spirit of the law, if not the law itself?

The Law

The law and evolving governance principles and best practices have been combined in recent years to underscore the fiduciary responsibility of the board to exercise informed oversight of all risks facing the corporation, including legal, regulatory, and compliance concerns.

For example, both the Commonsense Principles of Corporate Governance[4], and the Business Roundtable’s 2016 Principles of Corporate Governance[5], confirm the board’s basic responsibility for risk management oversight. Notably, these publications caution boards not to be risk-averse, but to seek a “proper calibration of risk and reward” in recognition of creating long term value.[6]

Perhaps most relevant to this discussion is the Business Roundtable’s perspective that the board is “directly responsible for [s]etting the company’s risk appetite, reviewing and understanding the major risks, and overseeing a risk management process”.[7]  A critical part of that responsibility is to facilitate agreement between the board and senior management on the risk tolerance of the corporation.[8]

The leading Delaware decisions that address compliance and business risk oversight involve allegations that the directors breached their fiduciary duties either by (i) failing to establish, or maintain, adequate compliance programs, or (ii) ignoring various warning signs of business or compliance risk. These decisions build on the business judgment rule in placing extremely high burdens on plaintiffs for sustaining breach of duty allegations.[9]

There are two concerns. First, when presented with particularly egregious facts, courts (especially those outside of Delaware) may be more receptive to breach of oversight obligation claims,[10] and second, less-than-vigorous risk and compliance oversight by the board may undermine the ability of the organization to obtain credit for its risk monitoring programs under applicable guidelines for federal prosecution of business organizations.[11]

The Resolution

The board may address the issue directly and indirectly. The most direct approach is a clear message to executive leadership that risk management is as much of a responsibility of the board as of  the leadership team. The board and its senior executives must reach a consensus on the company’s risk profile and its manifestation in corporate strategy. Senior executives must understand that, while the board will not become involved in daily risk management, it will make sure that executives are guiding corporate affairs consistent with that risk profile.

More indirect means can include (i) assuring that the general counsel is a valued member of the senior leadership team; i.e. the peer of the CFO[12]; (ii) reinvigorating the executive session practice to include the general counsel; (iii) openly acknowledging the up-the-ladder reporting obligations of the general counsel;[13] and (iv) confirming that board committees with risk and compliance responsibilities are competent, adequately staffed, and meet with appropriate frequency.

The board members may also wish to study the relevant risk management lessons from the recently released Wells Fargo Sales Practices Investigations Report.[14] They should pay particular attention to the report’s observations on the risks of decentralized organizational structures, the so-called “culture of substantial deference,” and the need for the board to insist on timely and complete risk reporting and be forceful in pursuing risk prevention measures.

Conclusion

A fair question is whether a highly valued executive is pushing the edge of the risk envelope, pursuing, or tolerating, conduct that violates the spirit of the law? And if so, how would the board know it? The answer is through more direct and vigorous board-to-management dialogue about the limits of the company’s risk profile and the need for executive leadership to navigate within those limits. No data suggest that the average corporate executive is insensitive to risk  or that risk insensitive executives are inherently unethical or resist legal compliance. But we know, intuitively and by experience, that such executives exist and, despite their outsized tolerance for risk, they are successful and usually ethical. But recent business headlines are a painful reminder of the extent to which executives’ insensitivity to risk in all its forms can contribute to corporate controversy.

ENDNOTES

[1] Johnson, Kidwell, Love and Reekers, “Who Follows the Unethical Leader?” The CLS Blue Sky Blog, March 28, 2017

[2] Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report (“Wells Fargo Report”), April 10, 2017, at 10, 13.

[3] Ramey, Orden and Gay, “New York Mayor Bill de Blasio Cleared in Fundraising Probes”, The Wall Street Journal, March 16, 2017.

[4] Commonsense Principles of Corporate Governance, http://www.governanceprinciples.org/wp-content/uploads/2016/07/GovernancePrinciples_Principles.pdf.

[5] The Business Roundtable, Principles of Corporate Governance (Aug. 2016), https://businessroundtable.org/sites/default/files/Principles-of-Corporate-Governance-2016.pdf.

[6] Commonsense Principles, supra note 4, at 4.

[7] The Business Roundtable, supra note 5, at 16.

[8] Martin Lipton, “Risk Management and the Board of Directors”, Harvard Law School Forum on Corporate Governance and Financial Regulation, February 15, 2007 (“Risk Management”).

[9] See In Re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996); see Stone v. Ritter, 911 A.2d 362 (Del. 2006); see In re Citigroup Inc. Shareholder Derivative Litigation, 964 A.2d 106 (Del. Ch. 2009); see In re The Goldman Sachs Group, Inc. Shareholder Litigation, 2011 WL 4826104 (Del. Ch. Oct. 12, 2011).

[10] Martin Lipton, supra note 8.

[11] Peregrine, “Beyond Caremark: Individual and Corporate Liability Considerations” NYU Law School Compliance & Enforcement Forum, December 7, 2016.

[12] Ben W. Heineman Jr., “How the CFO and General Counsel Can Partner More Effectively”, Harvard Business Review, July 25, 2016.

[13] Peregrine, “Reporting “Up” Obligations, Harvard Law School Forum on Corporate Governance and Financial Regulation, April 28, 2016

[14] Wells Fargo Report, supra.

This post comes to us from Michael W. Peregrine, a partner at the law firm of McDermott Will & Emery. The views expressed herein do not necessarily reflect those of the firm or its clients.