Caremark Director Liability Protections: Compliance Oversight Actions for Boards
Vinson & Elkins Vice Chair Michael Holmes led a virtual roundtable on June 24, 2020, with the Northern California Chapter of the National Association of Corporate Directors discussing how board members can meet the emerging standards for director personal liability for corporate compliance program failures.
Panelists set the stage by describing the current regulatory environment and the Department of Justice’s (DOJ) increased interest in compliance programs. The DOJ has long touted the importance of compliance programs but was not specific about its expectations, nor did it offer companies tangible rewards for investing in compliance programs. However, that has changed in just the last few years. For example, several companies with “best practices” compliance programs that have cooperated with the DOJ have been rewarded with a declination of all charges.
Moreover, the DOJ has now published very specific compliance program evaluation criteria to help its prosecutors better differentiate between strong and weak programs. The most recent update to these criteria published in June 2020 emphasizes that compliance programs for different companies should be tailored to their particular risks and, therefore, the critical foundation is a comprehensive compliance risk assessment. The updated DOJ guidance also stressed that a company’s compliance program should be adequately resourced and should incorporate the use of data to measure program effectiveness and diagnose issues.
The increased DOJ emphasis on compliance programs occurs at the same time Delaware courts are more closely scrutinizing board oversight of compliance programs under the Caremark1 doctrine. Pursuant to Caremark, the landmark case in Delaware corporate law framing a director’s duty of care in the oversight context, courts have expressed great deference to board members’ business judgment and have consistently granted motions to dismiss claims that boards had breached their duty of oversight. But in cases decided in the past 12 months, Delaware courts are possibly showing greater scrutiny of the board’s oversight. A key takeaway from these cases is that boards must be proactive in their oversight and not wait for management to bring issues to their attention.
Drawing from these recent Delaware cases and updated DOJ guidance, V&E lawyers identified several guidelines that companies and boards should undertake to mitigate the risk of losing Caremark protection in the event of a compliance issue:
- Board members should proactively engage with management to understand and be satisfied with the company’s overall strategy for managing its compliance responsibilities. A company and its board will more easily identify any coverage gaps if there is an ethics and compliance program charter.
- Companies and boards should implement a periodic compliance risk assessment process that examines all of the company’s leading or material risks (and their controls) so that the board can confidently focus on the “mission critical” risks. If the company does not yet have such a process, it might consider retaining an external resource to accelerate its implementation.
- The board should define with management a regular cadence for and the expected content of compliance program updates. At a minimum, for mission critical compliance risks, the board should expect regular and frequent updates on the effectiveness of the controls, including exceptions and defects, and the progress of needed control improvements.
- The board should require management to adopt a written “mandatory escalation” policy that defines with specificity the types of allegations and/or the seniority level of the subject of a complaint for which the board expects to be immediately informed.
- Boards should undertake a critical self-examination to assess whether they have the right committee structure and expertise to oversee the company’s business and compliance risks. If compliance oversight responsibility has not already been formally assigned to a specific board committee by written charter, it should be done immediately.
- Boards and company secretaries should ensure that board meeting agendas, meeting minutes and materials clearly record the board’s proactive compliance risk management oversight. This contemporaneous documentation is critical to defending shareholder claims that a board failed to fulfil its duties.
Directors posed questions and engaged in lively discussion about proper reporting lines for compliance personnel, contents of meeting minutes, board member experience in the industry at hand, hotlines, escalation policies, and compliance monitors.
The concluding guidance was that there should not be excessive cause for concern as directors should be able to expect continued Caremark protections by being proactive, adopting good processes, and documenting their good faith efforts.
1 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.