The Pandemic’s Impact on Board Oversight of Enterprise Risk

One of the most significant corporate governance implications of the pandemic may be its impact on the role and function of a board’s enterprise risk committee. From one perspective, the pandemic may increase that committee’s significance, potentially putting it on a par with the audit committee. From a related perspective, it may prompt the board to contemplate how much oversight it expects from that committee.

The catalyst for such change is grounded in six interconnected factors: (i) the broad-based creation of board committees focused on enterprise risk management (ERM); (ii) the nature and scope of the pandemic; (iii) second guessing of risk preparedness likely to emerge from the pandemic; (iv) evolution of the Caremark oversight standard over the past year; (v) the lessons on risk identification and disaster response that corporations are certain to take from the pandemic; and (vi) the relevance of former U.S. Secretary of Defense Donald Rumsfeld’s famous observations on risk preparedness.

ERM Overview

Enterprise risk management (ERM) is generally a means by which corporate boards may improve their comprehensive oversight of risk. It is designed to identify potential events that may affect the company and allow management of reasonably tolerable. These risks range from the obvious (e.g., compliance, operational, market, financial, fraud, information technology, supply chain, health and safety) to the less clear (e.g., political, reputational, product liability, environmental/climate change, disaster). An ERM program aims to provide boards with reasonable assurances that the company can achieve its objectives in the event any such risks occur.[1]

What’s Changed?

The COVID-19 pandemic has validated the need for a vital ERM function (if there had been any doubt). The pandemic implicates the full array of most companies’ identified ERM risks. Perhaps more significant is the extent to which it has confirmed that disasters can occur, and may henceforth be given greater consideration in the ERM risk identification process. As columnist Peggy Noonan suggests, “[W]e’re on a shakedown cruise. Knowledge of how to handle a coming, more difficult pandemic [or other disaster] is being gained now, by all of us.”[2]

Boards will certainly have reason to analyze their ERM functions simply by virtue of their own   experiences during the pandemic. But that analysis may be influenced by concerns that for the near future, second guessing on all matters of board preparedness will be the order of the day. The atmosphere of political finger pointing that may extend through the November elections is likely to spill over into the world of corporate governance. Criticism and challenges will undoubtedly come from corporate stakeholders through derivative litigation or otherwise.

The Impact of Delaware Law

The concerns related to this criticism may be exacerbated by two 2019 Delaware decisions suggesting a shift in application of the historically director friendly Caremark standard for board oversight of a company’s information reporting systems.

A Caremark claim is one of the most difficult theories in corporation law to prove.[3]  It requires particularized facts that either (i) “the directors completely fail[ed] to implement any reporting system or controls, or…[(ii) having implemented such a system or controls, consciously fail[ed] to monitor or oversee its operations thus disabling themselves from being informed of risks of problems.”[4]

Yet in both Marchand v. Barnhill[5] and In Re Clovis Oncology,[6] the courts allowed a breach of duty action to proceed based on allegations that the board was essentially indifferent to its obligation to exercise oversight of the company’s compliance with law – including regulatory mandates. Marchand is particularly relevant to the ERM conversation as it involved the level of board oversight of a listeria outbreak that had tragic consumer and corporate consequences.

Will Caremark be the standard for evaluating board oversight of the ERM function (and if not, what will replace it)? Second, if Caremark will remain the standard, will it be under the stricter interpretation applied in Marchand and Clovis? At this point – and in the absence of any cases to the contrary – it may be prudent to assume that the Marchand version of the Caremark standard will apply to board oversight of ERM.

This will, in turn, place a premium on close board evaluation of the effectiveness of the current ERM program and how the pandemic has affected it.

A Recommended Action Plan

Experience suggests that this evaluation process may occur at two levels:

First, at the implementation level, (i) are ERM duties best located in a dedicated committee or combined with other committee functions; (ii) is the corporate charter sufficient to create a committee responsible for ERM; (iii) who should be on the committee; (iv) are committee members distracted by other board duties; (v) how often and in what form should the committee meet; and (vi) which members of management are best qualified to attend committee meetings?

Second, at the policy level, how should risks be identified, evaluated, and addressed? One framework might apply Donald Rumsfeld’s famous series of “knowns and unknowns:”

  • The “known knowns:” These would be the enterprise risks that are well known to the board (e.g., the traditional risks together with the known risk of pandemic) for which the level of ERM diligence and planning would be appropriately high;
  • The “known unknowns:” These would be the enterprise risks that the board knows that it does not know; (e.g.; the potential for other disasters like a pandemic) for which the level of ERM diligence and planning would be careful and attentive but at a degree less than for that for the “known knowns”; and
  • The “unknown unknowns:” These would be the enterprise risks that the board doesn’t know it doesn’t know (e.g.; risks of which no reasonable person could be expected to be aware and may not yet exist) for which some fundamental corporate preparedness plan could be implemented no matter the circumstances.

Helpful to evaluating the “known unknowns” and “unknown unknowns” of enterprise risk is a committee-based culture of imagination. This refers to the creativity to look around the next corner and beyond the horizon for signs of future enterprise risks.[7]

A Worrisome Trend

The operative assumption is that, without regard to the pandemic, most sophisticated companies have adopted a comprehensive information reporting system that keeps the board informed on enterprise risks. But a new survey from the research and advisory company Gartner suggests that assumption may be incorrect.

Of more than 900 audit and risk leaders surveyed by Gartner in late March, most are focused on assessing the impact of the pandemic on organizational operations and controls and on revising and executing the company audit plan. Only 4 percent of respondents reported that updating the board was their primary focus, while 21 percent reported executing the audit plan as the top priority.

These new data should be taken seriously by board leadership, as they go to the core of the board’s oversight responsibilities.

Conclusion

Corporate boards will be motivated for multiple reasons to evaluate, and most likely enhance, the oversight of ERM. It will be important for the corporation, and for directors’ personal liability, that the ERM process incorporate lessons from the pandemic.

While the process may require more imagination in evaluating risk, it should keep sight of what is reasonable to avoid distracting committee members or frustrating senior management. But maintaining the status quo on ERM oversight after the pandemic may itself create risk.

ENDNOTES

[1] See, generally, Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management—Integrated Framework, Sept. 2004, available for purchase at http://www.coso.org/guidance.htm, Executive Summary, available at http://www.coso.org/Publications/ERM/COSO_ERM_ ExecutiveSummary.pdf. See also The Conference Board, Adapting to Regulatory.

[2] https://www.wsj.com/articles/new-york-is-the-epicenter-of-the-world-11585869852.

[3] In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996).  Stone v. Ritter, 911 A.2d 362, 372 (Del. 2006)).

[4] Id.

[5] Marchand v. Barnhill, 212 A.3d 805 (Del. 2019)., 212 A.3d 805 (Del. 2019).

[6] In re Clovis Oncology, Inc. Derivative Litig., C.A. No. 2017-0222-JRS (Del. Ch. Oct. 1, 2019).

[7] https://www.nytimes.com/2011/03/11/business/11sec.html?smid=em-share.

Michael W. Peregrine, a partner at the law firm of McDermott Will & Emery, advises corporations, officers, and directors on matters relating to corporate governance, fiduciary duties, and officer and director liability issues. His views do not necessarily reflect those of the firm or its clients.