Expectations surrounding the role of the board of directors in risk oversight have evolved. Delaware courts are entertaining more duty-of-oversight claims. The US Securities and Exchange Commission (“SEC”) is calling for more fulsome risk-related disclosure. Here is what directors and public companies should keep in mind in 2023.
“Caremark” Takes a Turn: The seminal 1996 Delaware court case, In re Caremark International Inc. Derivative Litigation, has historically set the stage with respect to the legal standard for directors’ risk oversight duties. In the Caremark line of cases, Delaware courts held that directors can be liable for a failure of board oversight only where there is “sustained or systematic failure of the board to exercise oversight," such as (i) an utter failure to implement any reporting system or controls, particularly of “mission-critical” functions or (ii) even when such a system or controls are in place, a conscious failure to oversee corporate operations, notably when presented with red flags of imminent problems. This presented a high bar to clear, and in the decades that followed, courts regularly dismissed stockholder suits claiming a total failure of oversight responsibility. However, recently, there have been a growing number of cases where Caremark claims survived motions to dismiss and were permitted to proceed against directors. Some key takeaways from these cases include:
- Good Record Keeping Is Important. Meeting minutes should document the board’s careful attention to risk oversight, including discussion of legal compliance matters applicable to the business and monitoring of other mission-critical functions.
- Consider a Risk Committee/Develop Risk Protocols. A risk committee is not required, but if there is not one, there should be clear and documented protocols in place for who at the board level will monitor risk and how management will report any relevant issues to the board. For example, if there is no standalone risk committee, then it is advisable to have committee charters that reflect which board committees are responsible for monitoring risk. “Red flags” cannot simply be ignored.
- Trainings on Key Issues Can Help. If there are particular areas of exposure or applicable emerging areas of risk (such as cyber-attacks), for which directors do not already have expertise or familiarity, it is important that directors develop a working knowledge of key issues. This can often be done by leveraging the expertise of management and outside advisors through training sessions.
Caremark claims, which allege violations of a director’s fiduciary duty of loyalty that are not exculpable under a corporation’s certificate of incorporation and may not be indemnifiable by the corporation, may create heightened pressure to settle should they survive a motion to dismiss.
The SEC Has Called for More Disclosure: In 2022, a number of public companies received a letter from the SEC asking for increased risk disclosure to be included in their future proxy statements. More specifically, many of the letters included requests such as: "Please expand upon how your board administers its risk oversight function. For example, please disclose":
- Why your board elected to retain risk oversight rather than assign oversight to a board committee.
- Whether you consult with outside advisors and experts to anticipate future threats and trends, and how often you re-assess your risk environment.
- The timeframe over which you evaluate risks and how you apply different standards based upon the immediacy of the risk assessed.
- Whether you have a Chief Compliance Officer and to whom this position reports.
- How your risk oversight process aligns with your disclosure controls and procedures.
The SEC has generally said that risk oversight disclosure has become too boilerplate to be helpful to stockholders, and that this needs to be remedied. The letter that included the above disclosure requests, for example, directed the company to refer to Item 407(h) of Regulation S-K for guidance (which Item requires disclosure regarding Board leadership structure and role in risk oversight). Thus, even if a company did not receive a letter specifically urging it to expand its risk oversight-related disclosure, it would be prudent to re-visit 407(h) of Regulation S-K and confirm that the company is addressing the disclosure requirements with sufficient specificity in its 2023 proxy statement and going forward.