Board oversight of C&E programs: how much is enough?

There was a time when a company’s merely having a code of conduct could be enough to dismiss a claim against the company’s directors under the Caremark case for failed compliance program oversight. But those days are now gone.

In his forthcoming article in the Journal of Corporate Law, “Max Oversight Duties: How Boeing Signifies a Shift in Corporate Law,”  Roy Shapira of the University of Chicago Booth School of Business writes: “In September 2021, the Boeing 737 Max debacle turned into an important moment in corporate law. A Delaware court allowed a derivative lawsuit brought by Boeing shareholders to proceed, based on the theory that Boeing’s directors breached their oversight duties by not doing enough to monitor, prevent, and react to fatal airplane safety issues.”

Shapira further notes that for many years: “Some compliance was enough compliance. Boeing shows that this is clearly not the case today. Consider the following examples: Boeing’s board agenda reflected allocating time to discuss safety, yet the court criticized them for allotting only five minutes. Boeing’s board minutes invoked ‘safety’ several times, yet the court criticized them for doing this only in passing and in the context of getting on the regulator’s good side. The minutes also showed that management shared information on airplane safety with the board, yet the court faulted them for not treating information from management more critically. All in all, Boeing shows just how much courts are willing to scrutinize what directors should have known and how they should have reacted.”

Note that such scrutiny (under this and the Marchand case handed down last year) does not apply to all risk areas. But it does apply to “mission critical,” ones, which airplane safety clearly is for Boeing. And, as Shapira notes, for large companies there can be many such areas.

The enhanced focus on “mission critical” risk areas will indeed require many boards to “up their games.”

One obvious way to start is with a C&E board assessment, meaning an assessment of how the board is likely to fare in any Caremark case brought against its directors.

This would include determining whether the board has appropriately identified mission-critical risk areas.  It would also entail ascertaining how the board has enacted relevant governance documentation (e.g., committee charters) and what information it has received about the risk area(s) both from written reports and in-person presentations.

Among other things the assessment would involve assuring that the board was in fact doing all the things the governance documentation provides they should do. (In this connection, I know of one  respected company where the board approved minutes of committee meetings that in fact never happened.)

Lastly, this type of assessment should be conducted by an independent expert. That is, given how powerful directors can be in a company asking its internal staff (law, compliance, audit) to assess the efficacy of a board’s C&E program oversight might be too much to get an unbiased view.

.