Directors and compliance programs: a look at the law

Many years ago, I was previewing for a general counsel a presentation on compliance programs that  I was planning to make to his company’s board of directors, and I mentioned the real  prospect of individual liability under the Delaware Chancery Court’s 1996 opinion in the Caremark case.  (Caremark – for readers who aren’t US lawyers or compliance professionals – is probably the nation’s most often cited compliance program case in modern times.) The GC stopped me to note that the potential for such liability was actually remote under Caremark. He was right and I have tried to avoid making the same mistake again.

In an article to be published in the Temple Law Review – and summarized on the Harvard Law School Corporate Governance Forum – Professor Donald C. Langevoort of the Georgetown University Law Center takes a look at the role that Caremark has played over the last 20 years in encouraging directors to promote compliance at their respective companies. It is a thoughtful and informative piece that is strongly recommended for those who advise boards on C&E matters. Among other things, it can help such advisors avoid making the mistake that I nearly did, and instead  focus on the legal expectations that matter most to boards.

He starts with a page of history: There is a lively academic debate over whether Caremark’s causal impact on the unmistakable growth curve of compliance has been overstated. After all, the holding in the decision (approving a de minimis settlement) was that the standard for holding directors of Delaware corporations liable for monetary damages under a test requiring “sustained and systematic indifference” to compliance oversight would be exceedingly hard to prove. Plus federal law had already been trending strongly in the direction of a robust corporate compliance obligation in many disparate fields of regulation (e.g., antitrust, financial services, healthcare, defense contracting) and—as Caremark duly noted—the Organizational Sentencing Guidelines had made the presence and quality of compliance (including board oversight) a substantial factor in the size and severity of any federal penalty for criminal wrongdoing. Within a few years would come even bigger waves of pressure from Washington, via the emergence of deferred prosecution agreements, corporate charging decisions, and—for public companies—the mandates of the Sarbanes-Oxley Act, which required new board structures, internal control processes and whistleblower protections to address the risk of financial misreporting, which arises in the face of any material corporate wrongdoing. …But we need not obsess on history. Caremark is at the very least a label attached to what all now agree is a necessary and proper subject of attention for every board of directors: corporate compliance as a function within the broader task of enterprise risk management.

Langevoort next looks at the case law under Caremark regarding directors who were allegedly confronted with “red flags” of wrongdoing  within their respective companies. He notes that that law creates an arguably perverse incentive for management to not escalate such information to the board, at least where (as is often the case) there is some ambiguity as to its meaning. Nonetheless, he writes: Today, however, I doubt that well-advised boards take this position (though some probably wish they could). The reason, once again, stems mainly from pressures from regulators and enforcers at the federal level, who have come to believe in the value of a stronger board-level presence in compliance. The Organizational Sentencing Guidelines, COSO principles and numerous regulatory pronouncements seek not only board approval of written policies and procedures and key compliance personnel decisions, but a much more interactive involvement that includes reporting lines running from the chief compliance officer (and perhaps chief legal officer) directly to the board, unfiltered by senior executives.

Finally, he asks whether Caremark was incomplete with respect to its understanding of the causes of and means to prevent wrongdoing by companies: We are increasingly coming to see how and why ethical and legal lapses occur. Corporate cultures are belief systems—transmitting to loyal, committed managers and employees a sense of what is valued, and what is denigrated. They help coordinate the activities of numerous stakeholders, an essential task in making the complex corporate system function. When corporations are under immense (often shareholder-driven) competitive pressure to succeed, belief systems can become facilitators for what it takes to survive and thrive, the grease in the corporate machinery. When circumstances create temptations to behave illegally, those beliefs can provide rationalizations that explain why what is profitable is also morally acceptable, via what psychologists call motivated inference. Once these kinds of rationalizations take hold, wrongdoing starts to happen, in small steps, then bigger ones…Caremark gives no hint of any of this, though that is not a criticism. At the time, culture and norms were not central to thinking about governance or compliance.

The past twenty years has seen a significant transformation regarding these matters which – Caremark aside – creates new and heightened expectations when it comes to the sort of regulatory pronouncements Langevoort features in his article.

Of course, corporate directors often need help when it comes to understanding and addressing their respective organizations’ culture and norms. Here are some initial thoughts of mine on the topic of culture assessments , but there is obviously a lot more that can be and has been said about it (including by Professor Langevoort)   And, I look forward to the next twenty years – when we will see if the law regarding directors and compliance lives up to the potential suggested by our emerging knowledge about corporate culture and wrongdoing.

Finally, yesterday I spoke with a reader of the blog who asked how much the point of the piece – that directors’ most significant C&E expectations come not from Caremark but from regulatory pronouncements – really mattered.  I think it does matter, because if directors believe that the C&E officers who report to the board are wrong about the law they may be less inclined to trust them on other matters, which could be bad for all involved.