What Determines a Breach of Oversight Duties?

Corporate law’s oversight duty doctrine is becoming more and more important. Companies are facing increased societal and regulatory demands, and are pouring resources into internal compliance programs meant to detect and prevent wrongdoing. When corporate compliance fails, shareholders and regulators wish to hold those at the top of the corporate hierarchy accountable. In the US in particular, these trends meshed with increased willingness on the part of Delaware’s courts to fault directors for constructive knowledge, and to grant shareholders access to internal company documents.

But the rapid resurgence of oversight duties has created a mismatch: the doctrine has become one of the most important in corporate law yet remains underarticulated. Courts are facing a tough task in setting the parameters of the duties and applying them to ever-evolving compliance risks.

In a new article I aim to conceptualize the doctrine and highlight the public policy implicated in it. One particularly basic-yet-thorny question that the article tackles is how to determine breach: when to hold directors personally liable for not doing enough to prevent wrongdoing by others in their company? In Delaware, the standard of liability is bad faith. Failure-of-oversight claims thus usually boil down to what courts can infer about directors’ mental state from external evidence about directors’ actions and the circumstances in which they took them. The Article identifies the external ‘markers’ that courts use to infer directors’ bad faith in each type of oversight duty claims.

One variant of oversight duty claims is ‘information-systems.’ The idea here is that directors cannot be passive about their companies’ compliance efforts. Instead of waiting for someone to flag problems to them, directors must proactively put in place a system that consistently monitors problems. This was the main innovation of Delaware’s Caremark decision in 1996. Back then, the compliance industry was still nascent, and so the requirement to install a board-level monitoring system was seen as an innovative call for action. Nowadays, virtually every large company boasts an elaborate compliance program that reports to the board. Accordingly, the relevant question these days is not whether information systems exist, but rather whether information systems are effective.

To be sure, courts are largely deferential to directors’ decisions on how to design information systems, and what types of information needs to flow up to the board. Still, for a certain subset of compliance risks courts do not hesitate to scrutinize directors’ decisions. Certain compliance risks are simply too important for directors to delegate away and uncritically accept whatever information others are feeding them. For these risks, courts may treat a lack of indication that directors knew about problems as an indication that directors were breaching their duties.

When is the fact that the board delegated away oversight of an issue indicative of bad faith? In practice, the answer to these questions comes down to two words: mission critical. When the compliance risk at hand strikes at the core of the company’s business (is ‘mission critical’), lack of evidence that directors discussed it may become evidence that directors were not trying in good faith to engage in oversight.

Based on rapidly emerging case law, the Article gleans several indicators that courts use to designate risks as mission critical. Sometimes the centrality of a risk is self-evident. One classic example is ‘monoline’ companies that sell only one product. If you are a director of a company that sells only ice-cream, and you do not discuss food safety issues, you are breaching your oversight duties. But the mission-critical zone extends beyond single-product companies. Even boards of multinational corporations with dozens of products and subsidiaries face risks that are critical and cannot be ignored. For a giant airplane-manufacturing company, airplane safety is mission critical. For a giant drug distributor, meeting FDA regulatory requirements is mission critical. To generalize, for a company that operates in a heavily regulated environment, meeting core regulatory requirements is a critical task that the board must put on its agenda.

When the criticality of a certain risk is not self-evident, courts can turn to the company’s own disclosures to learn about what risks matter most to it. An issue can qualify as mission critical when a company’s enterprise risk management system identifies it as such; or when a company’s mission statement declares it as a priority of the company.

Beyond establishing a system that collects information on material risks, directors must monitor and react to information coming from that system. This is the second variant of an oversight duty claim, often dubbed a ‘red-flags claim.’ Here the challenge stems from the fact that directors constantly receive new information alerting them to potential risks. It would be impracticable to treat all such reports as putting directors on notice for oversight liability purposes. This is where the ‘red flags’ metaphor comes in handy: courts limit the scope of oversight liability only to instances where the warning signs were clear and obvious in real time. A mere ‘yellow’ is not enough; the warning must be coded ‘red.’ And a small ‘sign’ is not enough either; the warning must be waved visibly like a ‘flag’ in directors’ faces.

In cases where the evidentiary record shows that directors received a warning, the relevant question is how serious and actionable the warning was. The courts answer this question by gauging the extent to which past warnings are connected to the current trauma. General abstract warnings do not count as red flags; only specific warnings do. To illustrate, virtually every board these days has received at some point briefings about the theoretical possibility of cyberattacks; but as long as said briefings did not concern a concrete, imminent risk, they do not count as putting directors on notice for oversight liability purposes.

In cases where the record shows that flags existed internally but does not show that directors saw these flags, the key question is whether the flags were so visible that the only way the directors could not have seen them was if they were consciously looking away. One oft-used criterion is how pervasive and widespread noncompliance was. The aggregation principle is in play here: the quantity of past warnings can transform into quality. That is, a myriad of yellow flags can count as a big red flag once the number of warnings crosses a certain threshold. Such thinking also implies that the nature of flags is dynamic: what was once yellow can quickly turn red, including in instances when ‘the regulatory and enforcement environment are intensifying.’

The abovementioned information-systems and red-flags claims require directors to try genuinely and proactively to ensure that others in their organization comply with the law. Another type of claim requires directors not to proactively install a business plan predicated on profiting from skirting laws (I term this ‘a business-plan’ claim). On paper, the latter claim seems easier to prove than the former two: it is supposedly easier to infer bad intentions from actions than from omissions. Yet applying the business-plan theory to real-world circumstances often turns out to be anything but automatic. Large corporations operate in a dynamic regulatory environment with much uncertainty. As a result, it is not straightforward to assume that the business plan in question was predicated from the start on lawbreaking. Further, directors rarely openly condone or document their orders to others to violate laws. As a result, it is not straightforward to assume that directors proactively affirmed a plan to profit from lawbreaking. The Article delineates the contours of the business-plan claim, such as by highlighting the distinction between breaches of contracts and torts, or identifying the circumstantial evidence that courts use to infer that directors were in on the scheme.

The oversight duty doctrine raises many other thorny questions besides how to determine directors’ bad faith. And practitioners and judges will undoubtedly continue to push the oversight-duty envelope over the next few years. Corporate legal academics should therefore strive to develop better understanding of the what and the why of the doctrine.

Roy Shapira is Professor of Law at Reichman University and a Research Member at ECGI.

The full article is available for download here.