Corporate boards may wish to adopt a plan of action in response to two recent Delaware decisions suggesting a shift in application of the historically director-friendly Caremark[1] standard for board oversight of a company’s compliance systems. Such a plan would be designed to reduce director liability exposure, support director retention, and enhance the effectiveness of risk oversight.
It is well established that a Caremark claim is one of the most difficult theories in corporation law to win[2]. It requires particularized facts that either (i) “the directors completely fail[ed] to implement any reporting or information system or controls, or . . . [(ii)] having implemented such a system or controls, consciously fail[ed] to monitor or oversee its operations thus disabling themselves from being informed of risks or problems”.[3]
Yet in both Marchand v. Barnhill[4] and In Re Clovis Oncology[5], the courts allowed a breach of duty action to proceed based on allegations that the board was essentially indifferent to its obligation to exercise oversight of the company’s compliance with positive law—including regulatory mandates.
The Marchand decision arose from a listeria outbreak in ice cream manufactured by a well-known dairy company, leading to significant customer and corporate harm. While the dairy company did maintain a corporate compliance plan, it served to inform directors only of basic matters as to licensure and regulation. Plaintiffs alleged that the plan failed to provide the directors with timely notice of the listeria outbreak and related issues. The Delaware Supreme Court concluded that was tantamount to having no compliance plan at all, a deficiency which could be attributed to the board of directors’ failure to exercise proper oversight.
The Clovis decision arose from a precipitous drop in the stock value of a pharmaceutical company, prompted by the reporting of poor clinical trial results for its primary drug under development. The company did have “robust” reporting systems intended to advise the board of the drug development process. However, management’s reporting was alleged to be misleading and inaccurate. The Delaware Court of Chancery described these reports being received by the directors “[W]ith hands on their ears to muffle the alarms.”
Noting that the company’s board was “full of experts” and operating in a “highly regulated industry,” the court concluded that the board should have recognized the inaccuracies and taken steps to fix them. Its failure to do so evidenced breach of its oversight duty.
The Marchand and Clovis decisions have attracted significant attention to the extent they are perceived as sending a new message on Delaware law expectations for boardroom attentiveness. Whether or not that is a fair interpretation of those decisions, it’s a message that officers and directors are taking seriously and for which they will want guidance from their management and advisers.
This is especially the case for boards of companies that resemble those in Marchand or Clovis; i.e., companies that either (a) operate in a highly regulated industry (including those with a specialized board of industry experts); (b) interact directly with matters of public health and safety (e.g., food, health care, pharmaceuticals); or (c) feature a monoline product or service.
The chief legal officer (“CLO”) is well suited to provide this guidance, perhaps acting in tandem with the chief compliance officer (“CCO”). That guidance (i.e., a”Marchand/Clovis Reaction Plan”) might address the following topics, among others:
- Share the Rules. Directors should receive a briefing from the CLO on the Caremark standard and how it applies to their board service. The typical corporate director is attentive, aware and inquisitive and may benefit from a more precise understanding of the fiduciary standards to which he or she is held. Give them the rules, and they are more likely to adhere to them.
- Management-to-Board Reporting. The board may want to establish a greater level of understanding with senior management on the level of risk and compliance reporting it should receive from its executives in order to satisfy its oversight duties. As Marchand explicity suggests, this reporting should include significant developments arising within the scope of the company’s identified risk profile.
- Red Flag Education. Directors’ oversight skills will be aided by a better understanding of the types of facts and circumstances that courts and regulators, operating in hindsight, might consider to be red flags of misconduct. While there is no hard and fast definition of a red flag, the CLO and COO can sketch out its characteristics[6] with enough direction to guide a director’s recognition skills.
- Review DOJ Guidelines. Directors should be reminded of the explicit expectations of board oversight contained in Department of Justice compliance program effectiveness guidelines.[7] The guidelines add important, practical focus to the Caremark standard, as they relate to tone, commitment, and elements of oversight.
- Confirm Program Evolution. The board should be encouraged to confirm with management the extent to which the company’s compliance program has evolved in response to changes in its line of business and its regulatory environment. Directors should also consider whether the program has changed as necessary over time to address existing and changing compliance risks, and lessons learned from prior compliance problems.
- Support Whistleblowers. Taking a cue from the headlines, the board may make particular inquiry of the effectiveness of the company’s confidential reporting structure and protocols. Regulators view whistleblower mechanisms as highly probative of compliance program effectiveness. History reminds us that the voices of whistleblowers can be an important supplement to the board’s oversight process.
- Avoid Excessive Deference. The board should certainly value, but refrain from being overly deferential to, management’s views when it comes to risk and compliance concerns. The exercise of constructive skepticism by directors is an important element of corporate accountability. The unique judgment and sense of integrity of individual directors is vital to effective oversight.
- Know Mission Critical Risks. Directors of companies that operate in an environment where externally imposed regulations govern its mission critical operations will be expected to more rigorously exercise their oversight function. The CLO, teaming with the CCO, should help assure board familiarity with the most central legal and regulatory compliance issues facing the company.
- Special Issues re: Monoline Products. On a related point, it is worth noting that both cases involved companies with monoline products or services. In Marchand, it was dairy products (i.e. ice cream); in Clovis, the biopharmaceutical company had only one drug with promise for development. The inference is that boards of companies operating in only one industry or with one product or service should exercise a heightened level of oversight over legal compliance issues.
- Effective Use of Minutes. The benefits of a clear boardroom record could not be more evident. The courts’ ability in these cases to identify lapses in board oversight was based in large part on the absence of any references in the minutes to board attentiveness to the underlying issues. Well crafted meeting agenda, exhibits and minutes can be an effective defense against allegations of misconduct.
- Be “All In.” Compliance never gets old or passé, especially with a highly regulated company. There’s real value in assuring that the board committee to which compliance oversight is delegated is fully engaged in the task, that its charter is clear, and that its board reporting responsibility is understood.
The above is not intended to be all-inclusive of prophylactic measures a board can implement in response to Marchand, Clovis, and similar cases. But it is intended to be reflective of the types of measures the board may implement in that regard; measures that are intended to inform the board of its responsibilities and to reflect careful attention to carrying them out.
At their core, these cases contribute to the increasing emphasis on the level of commitment of corporate directors; the need to work harder, faster, longer on behalf of the company’s agenda. To that end, they help prompt board-level discussion on the appropriate levels of director engagement in corporate affairs generally, and compliance and risk oversight in particular.
To be sure, the sky is not falling in terms of director liability exposure. The Marchand and Clovis cases involve fairly egregious fact patterns and significant consumer and shareholder harm. But they do serve to provide a very mainstream reminder of the fundamental importance of the board’s compliance and risk oversight responsibility – which should be taken very seriously by the board, management, and their advisors.
ENDNOTES
[1] In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996).
[2] Id.
[3] Id.
[4] Marchand v. Barnhill, 212 A.3d 805 (Del. 2019)., 212 A.3d 805 (Del. 2019).
[5] In re Clovis Oncology, Inc. Derivative Litig., C.A. No. 2017-0222-JRS (Del. Ch. Oct. 1, 2019).
[6] Thoughtful commentators have “…emphasized that red flags are not simply bad news. It is not clear precisely what a red flag is, but one plausible definition is that a red flag is information that alone or in combination with other known information presents the board with an immediately known duty to act.” Mark J. Gentile and Joseph L. Christensen, “In re Citigroup: The Birth Announcement and Obituary of the Duty of Business Performance Oversight” © 2009 Bloomberg Finance L.P.
[7] U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs https://www.justice.gov/criminal-fraud/page/file/937501/download
This post comes to us from Michael W. Peregrine, a partner at the law firm of McDermott Will & Emery, who advises corporations, officers, and directors on corporate governance, fiduciary duties, and officer and director liability issues. His views do not necessarily reflect those of the firm or its clients