Corporate Governance Field Guide - Caremark Duties

When public companies announce bad news—regulatory compliance failures, government investigations or enforcement actions, workplace safety incidents, product recalls, data breaches, cyber-security incidents, or other adverse events—stockholders (and securities plaintiffs' lawyers) often claim that corporate directors breached their duty of loyalty by failing to exercise adequate oversight, under a theory first recognized in Delaware's seminal Caremark decision. These so-called Caremark duties require directors to (i) make a good faith effort to put in place a reasonable board-level system of monitoring and reporting to identify significant risks requiring the board's attention, (ii) monitor or oversee the reporting system, and (iii) take reasonable steps to consider and address any significant "red flags" that are raised with the board through the risk reporting system.

The tips below provide guidance for directors to both meet these oversight duties and create a clear record of having done so, to assist in defending against Caremark claims.

IDENTIFY KEY, "MISSION-CRITICAL" RISKS

• The board or a designated board committee should conduct a risk assessment, identifying the company's key areas of operational, financial, regulatory, legal, and reputational risk; some boards do this on an annual basis
• The risk assessment should identify key risks considering the company's specific situation, including its industry and geography
• The risk assessment should include meaningful input from senior management, including the chief compliance officer and general counsel
• Boards also may engage outside counsel or other outside advisors to assist with the risk assessment
• Directors should consider whether the risk assessment should be updated when significant company events—such as new product launches, material acquisitions, or changes in leadership—occur

DESIGN AND IMPLEMENT SYSTEMS TO MONITOR RISK MANAGEMENT AND FOR REPORTING OF INFORMATION TO THE BOARD

• Boards should ensure the company has adequate risk management and compliance processes in place
  • Risk management processes typically include a code of conduct, internal reporting mechanisms, a hotline or other medium for anonymous reporting, and disciplinary procedures
• Boards may consider formally designating risk management and compliance oversight responsibility to a board committee—the audit committee or a dedicated risk management or compliance committee Boards should designate a senior officer—typically the chief compliance officer or general counsel—as responsible for reporting to the board or designated committee on risk management and compliance
  • The designated officer should regularly provide compliance and risk management reports at board or committee meetings and should have direct access to the board outside of regular meetings
• Boards should instruct management to promptly report red flags—including pertinent whistleblower complaints and regulatory inquiries—to the board or designated board committee

CONSIDER INFORMATION SHARED WITH THE BOARD AND TAKE ACTION, WHEN NECESSARY, TO ADDRESS ISSUES IDENTIFIED

• When red flags are raised, the board should ensure that it is adequately informed about the issue, which may include taking additional steps necessary to investigate
• Once it is adequately informed, the board should consider taking concrete action to address the issue
• Boards may consider engaging outside counsel to advise it when responding to red flags
• If the board concludes not to take further action, it should document both the reasons for this conclusion and the scope of its review

MAINTAIN MEETING MINUTES AND OTHER RECORDS TO DOCUMENT BOARD'S RISK OVERSIGHT

• Meeting minutes are the formal, official record of board and committee meetings
• Board and committee meeting minutes should document regular discussions of risk management and compliance issues, including
  • Recording the general substance of risk management and compliance reports by management
  • Identifying outside advisors in attendance (auditors, outside counsel)
  • Reflecting the fact that directors asked questions and the general nature of those questions
  • Noting if the board met in executive session on risk management generally or any red flags specifically
• If a compliance concern, regulatory inquiry, whistleblower complaint, or other potential "red flag" is raised at a board meeting
  • Minutes should reflect the nature of the issue, the board's active discussion of it, and any specific actions directed by the board
  • Minutes of subsequent meetings should reflect that the board received follow-up reports and discussed whether further action was necessary
• All formal resolutions, approvals, and delegated actions should be recorded and reflected in minutes
• Supporting materials—board packages, compliance reports, presentations—should be retained along with the minutes

The Corporate Governance Field Guide offers concise, practical insights on the issues that matter most to directors, officers, stockholders, and other stakeholders. Each installment

delivers actionable perspectives and highlights best practices from our Board Governance and Fiduciary Duty team on the risks and trends impacting today's boardroom. Please reach out to any member of our team to learn more.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.