Prosecutors, regulators, investors, and the media are increasingly holding directors and officers accountable, while special interest groups, plaintiffs’ lawyers, and activist hedge funds are constantly looking for their next targets.
This new reality requires directors to be aggressive in overseeing legal, ethical, and reputational risks that, in many cases, prior generations of boards did not even have to face. Those risks include cyber-security, data breaches, data privacy, ESG issues, and false rumors that can spread almost instantaneously and destroy a company’s reputation. And thanks to social media, directors and their companies are subject to more scrutiny than ever before.
Much of that scrutiny comes from index funds, which have made it clear that, instead of selling their shares, they are willing to replace inadequate boards (and management). What’s more, the Delaware Supreme Court and federal regulators have shown that boards will be held legally accountable for oversight failures.
To protect themselves, boards must be more proactive and independent of management in ways beyond what the business judgment rule requires. In particular, they must challenge management’s thinking and alert it to areas of concern.
The Traditional Protections for Boards
Historically, the legal landscape has been favorable for boards of directors. Directors could be sued in civil actions for breaching their fiduciary duties of loyalty and care. However, the business judgment rule created a presumption that directors were acting in good faith, a hurdle generally difficult to overcome.
As a result, directors have not usually faced a realistic threat of personal liability in most derivative and shareholder litigation. If not dismissed, lawsuits against directors are usually settled within insurance policy limits, and directors have not paid money out of their own pockets with a few exceptions.
Meanwhile, the nature of directors’ oversight usually insulated them from knowledge of misconduct and further protected them from allegations of criminal liability. If criminal conduct was found in the company, it was usually thought by prosecutors that directors were simply misled by management.
A New Landscape Is Emerging
But things are changing. Last year, the Delaware Supreme Court allowed a derivative lawsuit against directors of Blue Bell Creameries USA, Inc., to proceed based on allegations that the directors failed to implement and monitor – at the board level – a reasonable system to oversee whether the company’s ice cream was safe for consumers.
When a listeria outbreak occurred at Blue Bell’s plants, the board minutes did not reflect any discussion of it. When the board was informed about the outbreak, it delegated the response to management. Three people eventually died because of the outbreak.
The court was sharply critical of the board for allegedly relying on management reports about “operational issues” and not setting up its own system of monitoring key compliance risks. It did not matter to Delaware’s highest court that Blue Bell operated in a highly-regulated industry, that its plants were subject to regular inspections by government officials, or that its management was monitoring the situation.
Similarly, after Equifax’s historic data breach, the FTC sought to ensure that the Board was engaged in data security. As a result, Equifax’s settlement with the FTC requires the board of directors to certify annually that they have overseen compliance with the order and are not aware of any noncompliance. Setting an affirmative board oversight requirement for compliance adds duties and risks to director service beyond the traditional business judgement rule.
That increased scrutiny tracks what we have seen from federal prosecutors, who are looking more deeply at the efforts of boards and are asking more probing questions of what directors have done and failed to do while overseeing corporate compliance programs. Last year, the Justice Department released detailed guidance designed to take the mystery out of effective compliance programs, including the very questions that should be asked by directors of those programs.
How Should Boards React to Rising Expectations?
The Blue Bell decision, the Equifax-FTC settlement, Justice Department guidance, and growing demands from shareholders and other members of the public reflect rising expectations for what boards should do and how board materials should reflect those efforts. Detailed below are four practices that boards should adopt to meet and exceed the rising expectations.
1. Establish a strong “tone at the top” and instill it in the company by overseeing legal, regulatory, compliance, ethical, and reputational risks on a comprehensive basis.
Having worked with dozens of boards seeking to address and remedy highly publicized legal, ethical, and operational failings, we have discovered, that in almost every case, the board had not successfully established a culture of doing the right thing, which likely would have mitigated or eliminated the failing in question.
Establishing such a culture is not an easy task. The culture must span organizational departments and encompass all of the pertinent functions. Operational silos are the often the single biggest threat to a strong, consistent company culture.
In many companies, compliance, regulatory, and specific legal functions have been created at different times in response to new laws or regulatory demands. However, if the legal, regulatory, public affairs, communications, and compliance departments are not bound together, there is a significant opportunity for miscommunication and disagreement. Even worse, the functions may develop different priorities or objectives, which will allow important issues to fall through the cracks.
By establishing a committee or subcommittee to oversee risk, particularly if that committee uses an enterprise risk-management process, the board is better able to ensure that the tone it intends is actively embraced by the primary risk functions, thus mitigating the company’s risk.
2. Establish a data governance function that manages data collection, security, privacy, usage, and ethics and regularly reports to the board.
As security has become an issue, companies have created the position of chief information security officer, or CISO. If a company does not have a CISO, it needs to create the position now. With privacy now expanding beyond specific industries, the chief privacy function is growing. AI, facial recognition and other innovations are producing profound usage and ethical issues. Some companies have adopted data usage models that may soon be regulated out of existence.
Soon, every piece of data in a company will need to be tagged and managed to maximize the benefits from its use and minimize the harms. The overall culture of doing the right thing should control decision making, but having a chief data officer or oversight management group will be essential to integrate the various data functions.
3. Regularly engage third-party governance experts to ensure legal, ethical, and reputational risk management functions are operating effectively.
Professional and independent fact-finding must periodically be used to assure proper oversight. Financial audits can be effective to obviate the fear of reliance on bad financial information. Governance reviews can be designed to eliminate concerns about inadequate legal, ethical, and reputational risk management.
When boards have engaged us in reaction to a crisis, our mission has been to determine what happened, why, how it can be prevented from happening again.” Over time, we have used that fact finding methodology for preventive reviews. Document reviews quickly determine if best practices systems are in place, but interviews verify if those systems are working. In preventative reviews, company employees are generally more forthcoming when an independent third party is leading the effort and can report findings without attribution.
4. Maintain adequate written records documenting the board’s oversight.
Traditionally, boards of directors do not have significant materials reflecting their efforts at monitoring compliance. Board minutes may contain brief references to oversight efforts, and most boards receive various presentations from management. That absence of detail was one of the problems facing Blue Bell’s directors.
Without an adequate written record, it is too easy to assume that the board was not monitoring the compliance program. That does not mean the board has to issue written reports, but the minutes and accompanying materials should reflect that the board has spent significant time considering the company’s central compliance risks.
Adjusting to the New Landscape
If boards do not improve their oversight, investors are likely to have greater success in removing directors. and plaintiffs’ lawyers will bring more breach of fiduciary duty claims. Prosecutors are likely to spend more time investigating whether directors turned a blind eye to misconduct. Now that there is so much guidance for compliance programs, it will be easier to argue in the future that directors are acting in bad faith. Directors should ensure that D&O policies will cover the increased risks that directors and officers are likely to face.
Boards and senior management need to find ways to find the facts about how the organization is conducting itself. Is there one culture of doing the right thing or are hidden subcultures doing bad things? It is just a question of time before independent governance assessments will become the norm for boards and senior management in protecting the company and its stakeholders from a rising storm.
This post comes to us from Bill Ide, who is a partner at the law firm of Akerman and was general counsel of Monsanto, counsel to the United States Olympic Committee, and president of the American Bar Association, and from Michael Kelly and Amanda Leech, who are partners at Akerman.