Historically, directors have been protected from personal liability in connection with risk management by the high standard set in the seminal 1996 Caremarkcase. In recent years, however, courts have held that certain plaintiffs have pled facts sufficient to avoid dismissal of suits seeking to hold directors liable for failing to discharge their oversight duties. In addition, the staff of the Securities and Exchange Commission has recently made written requests to some public companies regarding their disclosure of risk oversight. In this article, we provide background on these developments and identify five steps that directors may want to consider as they develop risk governance frameworks.
Under Delaware corporate law, directors owe fiduciary duties of care and loyalty to the corporation that they serve. Since the Caremark case, these duties have included an obligation for directors to exercise oversight by making a good faith effort to implement and monitor reasonable information and reporting systems and controls. A director who (i) utterly fails to implement any reporting or information system or controls (a “prong 1” failure); or (ii) having implemented such a system or controls, consciously fails to monitor or oversee its operations (a “prong 2” failure), may be liable for a breach of the duty of loyalty. While the Delaware General Corporation Law (“DGCL”) permits a corporation to include in its certificate of incorporation a provision eliminating or limiting the personal liability of directors for monetary damages for breach of fiduciary duty, such exculpation does not apply to, among other things, a breach of the duty of loyalty.
For many years, the Delaware courts have observed that a claim that directors have breached their fiduciary duties by failing to monitor corporate affairs is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” In particular, Delaware courts generally rejected claims that directors violated their oversight duties either because the company took on business risk and suffered losses or because the directors failed to properly evaluate business risk. Furthermore, while Delaware courts were willing to entertain claims that directors violated their oversight duties by failing to implement or monitor reasonable information and reporting systems that would put them on notice of fraudulent or criminal conduct within the company or other legal compliance issues intrinsically critical to the company’s business operation, plaintiffs were generally not able to successfully advance such claims.
However, in 2019, with Marchand v. Barnhill, the Delaware Supreme Court held that the plaintiff had pled facts supporting a reasonable inference that the directors of an ice cream company had “consciously failed to attempt to assure a reasonable information and reporting system existed” to enable directors to monitor the company’s compliance with food safety laws. Since the Marchand decision, the number and frequency of Caremark claims brought in Delaware courts has significantly increased, and Delaware courts have focused on the existence and operation of reasonable approaches to risk governance with respect to “mission critical” corporate risks as the key factor for determining whether directors should or should not face liability.
For example, in 2020, the Delaware Court of Chancery addressed both prongs of Caremark in the Teamsters v. Chou derivative litigation. The plaintiff alleged that the board had (i) failed to implement adequate reporting or information systems or controls and (ii) ignored red flags about safety of its process for filling syringes with medication and other safety issues. The court stated that it did not need to decide whether liability existed under the prong 1 claim to dispose of the motion to dismiss, but noted that a report prepared by external counsel indicated that the company had a “woefully inadequate compliance system.” Further, the court concluded that the plaintiff had sufficiently pled that the board had ignored red flags, such that it consciously failed to monitor or oversee its operations (a prong 2 claim). In this regard, the court listed several alleged facts that indicated the board had knowledge that the corporation was conducting its program “in contravention of mission critical drug health and safety regulations”, yet it failed to address such alleged misconduct.
In addition to the increase in Caremark claims driven by the Marchand decision, the staff of the Securities and Exchange Commission (“SEC”) has recently expressed an interest in public companies enhancing their disclosure regarding risk oversight. Specifically, during 2022, in comment letters to proxy statements, SEC staff asked corporations to explain how the board of directors administers the risk oversight function. This line of regulatory interest illustrates why risk governance is an issue that every board should be thinking about, particularly as the 2023 proxy season begins, even for public companies that are not incorporated in Delaware.
Five Steps to Consider
As the Delaware courts have reiterated, there is no checklist of requirements a board must satisfy to fulfil its obligation of oversight. However, we have identified several steps that directors may want to consider as they develop the type of risk governance framework that is contemplated by the post-Marchand line of Caremark cases.
Develop reporting protocols and escalation pathways. A key aspect of any risk governance framework is reporting. While risk reporting often is well-defined at an operational or management level, risk reporting systems may not always be designed to reach up to the board level. This can reflect the episodic nature of board meetings and technical nature of many risk issues. However, directors could request that management incorporate the board and its feedback in the risk reporting ecosystem to ensure that current and emerging material risk and compliance issues are escalated to the board’s attention. Ideally, this reporting would follow a defined cadence and be more than a “we fixed it; all is well” summary. One technique to counter this mentality and to facilitate better escalation of risk issues is to require periodic reporting of all material risk and compliance issues, even if management believes it can or has mitigated them, including resolution timelines.
Make time for risk and compliance. As noted above, ideally risk and compliance is a recurring issue for board discussion and consideration. Among other reasons, by making risk and compliance reporting a recurring issue, directors can help the organization manage current and emerging risks both within the organization and across specific industries. Often robust discussion, rather than a line item on an agenda that never is discussed or a dense report that never is reviewed is key to accomplishing risk reduction. Instead, boards should strive for a regular, rigorous discussion of current and emerging risk and compliance issues that are essential and mission critical to the company and what they are seeing publicly with competitors. If the format of the board agenda and number and complexity of the risk and compliance issues do not lend themselves to a discussion of the full board, then directors should consider the establishment of a dedicated risk and compliance committee to dive deeper on material issues and provide more frequent monitoring, especially when facing specific issues.
Assess and prioritize risks. One theme of the recent Delaware cases is that a board’s approach to risk oversight should reflect a company’s business, resources, line of business, and other relevant factors. Therefore, a board is not required to analyze (or require management to analyze) every risk that confronts a company. Instead, Delaware law and the SEC expect boards to be informed of risk and compliance issues that are “intrinsically critical” to the company. Therefore, directors should consider how they can focus their limited resources on identifying and overseeing material risk and compliance issues. These efforts might leverage a company’s risk assessment processes, risk appetite statement, risk taxonomy and risk limits to identify and escalate issues consistently throughout the organization.
Obtain independent viewpoints. The recent Delaware caselaw has focused on the actions of the board, which is appropriate given the posture of the litigation. However, a board relies on others to provide it with the information necessary to fulfil its oversight obligations, and management might fail to provide relevant information or might inaccurately characterize information regarding risks. Therefore, boards may consider implementing measures to ensure that they receive multiple, independent viewpoints on risk and compliance issues. One technique that is used in several industries is the Three Lines of Defense model, which empowers independent risk (second line) and audit (third line) functions to monitor risks and report to the board. Another approach is to develop additional escalation paths to the board, such as through management committees controlled by non-business line personnel, whistleblower reports, and communications from regulators and external auditors. Boards also might consider the retention of their own advisers (e.g., separate outside counsel) to assist with oversight of particular risks.
Document deliberations and credible challenge. Historically, some companies kept board minutes that were as brief and high-level as the meeting agenda. This practice has changed in recent years and many boards now keep more detailed minutes. Among other points, detailed minutes can show the board was engaged on critical risk issues and tested management’s assertions regarding those issues. This type of credible challenge of management by directors is a key factor in establishing an oversight practice, but must be documented to provide effective protection if a board’s process is questioned in litigation or by the SEC. In addition, board minutes that can show action the board took to address red flags that came to its attention can be evidence to refute a prong 2 claim. However, it is important to maintain proportionality and rationality in minute-taking. Verbatim transcripts generally are not appropriate, nor is electronic recording, which may create other types of litigation risk.
 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch.1996).
 Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006); see also Gantler v. Stephens, 965 A.2d 695, 709 (Del. 2009) (“the fiduciary duties of officers are the same as those of directors.”).
 See Caremark, at 971; Stone v. Ritter, 911 A.2d at 370; see also In re McDonald’s Corp. S’holder Deriv. Litig., 2023 WL 387292 at *18 (Del. Ch. Jan. 25, 2023) (“officers owe duties of oversight comparable to those of directors.”).
 Stone v. Ritter, 911 A.2d at 370.
 See Section 102(b)(7) of the DGCL. In addition, Section 145 of the DGCL requires that in order for a director to receive indemnification from the corporation, the director, among other things, must have acted in good faith.
 See, e.g., Stone v. Ritter, 911 A.2d at 372 (citing Caremark, 698 A.2d at 967).
 In re Citigroup Inc. S’holder Deriv. Litig., 964 A.2d 106, 130 (Del. Ch. 2009); Asbestos Workers Local 42 Pension Fund v. Bammann, 2015 WL 2455469, at *14 (Del. Ch. May 22, 2015) (“It is not entirely clear under what circumstances a stockholder derivative plaintiff can prevail against the directors on a theory of oversight liability for failure to monitor business risk under Delaware law; the Plaintiff cites no examples where such an action has successfully been maintained.”).
 In re Citigroup Inc. S’holder Deriv. Litig., 964 A.2d, at 131 (“There are significant differences between failing to oversee employee fraudulent or criminal conduct and failing to recognize the extent of a Company’s business risk.”); In re General Motors Derivative Litig., 2015 WL 3958724, at *3 (Del. Ch. 2015) (dismissing a Caremark claim despite the fact that the company’s actions “led to monetary loss on the part of the corporation, via fines, damages and punitive damages from lawsuits; reputational damage; and most distressingly, personal injury and death to GM customers”.); Stone v. Ritter, 911 A.2d at 370 (entertaining a claim that the company failed to put into place policies and procedures to ensure compliance with anti-money laundering obligations but determining that such policies and procedures actually existed).
 Marchand v. Barnhill, 212 A.3d 805, 809 (Del. 2019) (internal quotations omitted).
 Id., at 824 (stating that Caremark requires that “a board make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks”). See also, Firemen’s Ret. Sys. of St. Louis v. Sorenson, 2021 WL 4593777 (Del. Ch. Oct. 5, 2021) (“Key enterprise risks affecting a corporation’s ‘mission critical’ components has been a focus of Delaware courts in assessing potential oversight liability”).
 Teamsters Loc. 443 Health Servs. & Ins. Plan v. Chou, 2020 WL 5028065 (Del. Ch. Aug. 24, 2020); see also In re Boeing Co. Deriv. Litig., 2021 WL 4059934 (Del. Ch. Sept. 7, 2021).
 Teamsters v. Chou, at *26.
 Id., at *25.
 See, e.g., Letter to Dell Technologies dated September 1, 2022 (requesting additional disclosure to address, for example, “the timeframe over which you evaluate risks (e.g., short-term, intermediate-term, or long-term) and how you apply different oversight standards based upon the immediacy of the risk assessed; whether you consult with outside advisors and experts to anticipate future threats and trends, and how often you re-assess your risk environment; how the board interacts with management to identify significant emerging risks; and whether you have a Chief Compliance Officer and to whom this position reports.”); see also Nicola White, SEC Presses Dell, Amex, Others in Broad Sweep for Proxy Details, Bloomberg Law (Nov. 7, 2022).
 The Dell letter, for example, directed the company to refer to Item 407(h) of Regulation S-K for guidance on disclosure requirements (which Item requires disclosure regarding Board leadership structure and role in risk oversight). Thus, even if a company did not receive a comment letter specifically urging it to expand its risk oversight-related disclosure, we believe it would be prudent for companies to re-visit Item 407(h) of Regulation S-K and confirm that the company is addressing the required disclosure with sufficient specificity in its 2023 proxy statement and going forward.
 Boeing, 2021 WL 4059934 at *26 (“I do not track the deficiencies Marchand identified because they are any sort of prescriptive list”). Delaware courts have been even less prescriptive regarding the requirements an officer must satisfy to fulfil their obligation of oversight, noting that most officers “have a more constrained area of authority” than the board and remain subject to direction by the board regarding their obligations and responsibilities. See McDonald’s, 2023 WL 387292 at *19.
 A committee that is delegated responsibility for overseeing risk must perform the delegated duties. See Construction Indus. Laborers Pension Fund v. Bingle, 2022 WL 4102492 at *12 (Del. Ch. Sept. 6, 2022) (“nominal acts of delegation, such as delegating oversight responsibility to a Board subcommittee that failed to meet, or that failed to investigate serious misconduct after being put on notice, are not preclusive of an oversight claim”).
 See our article on the Three Lines of Defense Model: https://www.mayerbrown.com/en/perspectives-events/publications/2020/07/the-blurred-lines-of-organizational-risk-management.
This post comes to us from Mayer Brown LLP.