Prosecutors, regulators, investors and the media are increasingly holding directors and officers accountable, while special interest groups, plaintiffs' lawyers and activist hedge funds are constantly looking for their next targets. 

This new reality requires directors to proactively oversee legal, ethical and reputational risks in aggressive ways that are a stark departure from the old mantras of “let shareholders walk if they are dissatisfied” and “directors should be noses in, fingers out.” Index funds have made it clear that they are not walking and will replace boards (and management) that are not adequately overseeing reputational and legal risks. 

But the concern for board members goes beyond losing a position. The Delaware Supreme Court and federal regulators have made it clear that boards will be legally held accountable for oversight failures.     

To protect themselves in this new environment, boards must become more proactive and independent of management than envisaged by the traditional business judgment rule safe harbor. Boards must challenge management’s thinking and raise areas of concern, particularly since new and different types of threats are emerging and the complexity of problems is growing. 

Today, there is an endless list of problems that prior generations of boards did not have to confront, including cyber-security, data breaches, data privacy, ESG issues and dealing with publics in a world where false rumors can spread almost instantaneously and destroy a company's reputation. Perhaps of greater impact, social media and its manipulation of optics have resulted in directors and their companies being subjected to higher scrutiny than ever before.   

The Traditional Protections Given to Boards

Historically, the legal landscape has been favorable for boards of directors. Directors could be sued in civil actions for breaching their fiduciary duties of loyalty and care. However, the business judgment rule created a presumption that directors were acting in good faith, a hurdle generally difficult to overcome. 

As a result, directors have not usually faced a realistic threat of personal liability in most derivative and shareholder litigation. If not dismissed, lawsuits against directors are usually settled within insurance policy limits, and directors have not paid money out of their own pockets with a few exceptions. 

Meanwhile, the nature of directors' oversight usually insulated them from knowledge of misconduct and further protected them from allegations of criminal liability. If criminal conduct was found in the company, it was usually thought by prosecutors that directors were simply misled by management.

A New Landscape Is Emerging

But things are changing. Last year, the Delaware Supreme Court allowed a derivative lawsuit against directors of Blue Bell Creameries USA, Inc., to proceed based on allegations that the directors failed to implement and monitor – at the board level – a reasonable system to monitor whether the company's ice cream was safe for consumers. 

It was alleged that Blue Bell had no board committee charged with overseeing food safety, no full board-level process to address food safety issues, and no protocol by which the board was expected to be advised of food safety reports and developments. 

When a listeria outbreak occurred at Blue Bell's plants, the board minutes did not reflect any discussion of it. When the board was informed about the outbreak, it delegated the response to management. Three people eventually died because of the outbreak. 

The Delaware Supreme Court was sharply critical that the board had allegedly relied on management reports concerning "operational issues" and had not set up its own system of monitoring key compliance risks. It did not matter to Delaware's highest court that Blue Bell operated in a highly-regulated industry, that its plants were subject to regular inspections by government officials, or that its management was monitoring the situation. 

Similarly, after Equifax’s historic data breach, the FTC sought to ensure that the Board was actively engaged in data security. As a result, Equifax’s settlement with the FTC requires the board of directors to certify annually that they have overseen compliance with the order and are not aware of any noncompliance. Setting an affirmative board oversight requirement for compliance adds duties and risks to director service beyond the traditional business judgement rule standard.

That increased scrutiny tracks what we have seen from federal prosecutors, who are looking more deeply at the efforts of boards and are asking more probing questions of what directors have done and failed to do while overseeing corporate compliance programs. Last year, the Justice Department released detailed guidance designed to take the mystery out of effective compliance programs, including the very questions that should be asked by directors of those programs.    

How Should Boards React To Rising Expectations?

The Blue Bell decision, the Equifax-FTC settlement, Justice Department guidance and growing demands from shareholders and other “publics” reflect rising expectations for what boards should do and how board materials should reflect those efforts.  Detailed below are four practices that boards should adopt to meet and exceed the rising expectations.  

Establish A Strong “Tone at The Top” And Drive It Into The Company – By Overseeing Legal, Regulatory, Compliance, Ethical And Reputational Risks On A Holistic Basis

In today's world of demands for transparency and suspicion of companies, too often leading to social media misinformation, boards need to establish the highest of accountability standards and assure every corner of the company gets the message and lives up to it. 

Having worked with dozens of boards seeking to address and remedy highly publicized legal, ethical and operational failings, we have discovered, that in almost every case, the board had not successfully established a pervasive culture of doing the right thing, which likely would have mitigated or eliminated the failing in question. 

Establishing such a culture is not an easy task. The culture must span organizational departments and encompass all of the pertinent functions. Operational silos are the often the single biggest threat to a strong, consistent company culture.

In many companies, compliance, regulatory and specific legal functions have been created at different points in time in response to new laws or regulatory demands. However, if the legal, regulatory, public affairs, communications and compliance departments are not bound together as one team, there is a significant opportunity for miscommunications and disagreements. Even worse, the functions may develop different priorities or objectives, which will allow important issues to fall through the cracks. 

By establishing a committee or subcommittee to oversee risk, particularly if that committee uses an enterprise risk management process, the board is better able to ensure that the tone it intends is actively embraced by the primary risk functions, thus mitigating the company’s risk.

Establish A Data Governance Function To Manage Data Collection, Security, Privacy, Usage And Ethics, Which Regularly Reports To The Board

Digital technology advances are so rapid and innovative that societies' ability to manage and control the benefits and harms has been lagging and reactive. Every enterprise is or soon will be a data company. As security has become an issue, the CISO function has been created. If a company does not have a CISO, it needs to create the position now. With privacy now expanding beyond specific industries, the chief privacy function is growing. AI, facial recognition and other innovations are producing profound usage and ethical issues. Some companies have adopted data usage models that may soon be regulated out of existence.

Soon, every piece of data in a company will need to be tagged and managed to maximize the usage benefits and minimize the harms. The overall culture of doing the right thing should control decision making, but having a chief data officer or oversight management group will be essential to integrate the various data functions.

Regularly Engage Third Party Governance Experts To Ensure Legal, Ethical And Reputational Risk Management Functions Are Operating Effectively

As part of their fiduciary duties of loyalty and care, directors must ensure that effective risk management systems are in place and that they are working well. Boards cannot simply rely on management for an assessment. Professional independent fact finding must periodically be used to assure proper oversight. Financial audits can be effective to obviate the fear of reliance on bad financial information. Governance reviews can be designed to eliminate concerns about inadequate legal, ethical and reputational risk management. 

When boards have engaged us in reaction to a crisis, our mission has been to determine "What happened? Why? How do we assure it never happens again?" Over time, we have taken that fact finding methodology and utilized it for preventive reviews. Document reviews quickly determine if best practices systems are in place, but interviews are used to verify if those systems are working. In preventative reviews, company employees are generally more forthcoming when an independent third party is leading the effort and can report findings without attribution. 

Maintain Adequate Written Records Documenting The Board’s Oversight

Traditionally, boards of directors do not have significant materials reflecting their efforts at monitoring compliance. Board minutes may contain brief references to oversight efforts, and most boards receives various presentations from management. That absence of detail was one of the problems facing Blue Bell's directors. 

In this environment, that is a mistake. Without an adequate written record, it becomes too easy to assume that the board was not monitoring the compliance program. That does not mean the board has to issue written reports, but the minutes and accompanying materials should reflect that the board has spent significant time considering the company's central compliance risks.   

Adjusting To The New Landscape

If boards do not improve their oversight processes, investors are likely to have greater success in removing directors and plaintiff's lawyers will bring more breach of fiduciary duty claims. Prosecutors are likely to spend more time investigating whether directors turned a blind eye to misconduct. Now that there is so much guidance for compliance programs, it will be easier to argue in the future that directors are acting in bad faith. Directors should ensure that the D&O policies will cover the increased risks that directors and officers are likely to face in the future. 

To sail from dark clouds to brighter prospects, boards will need to be more proactive, assuring the right risk oversight systems are in place and are working. We have found in most corporate failings where we have been involved, it was not for lack of the right systems on paper. Failures occurred because there was no line of sight throughout the organization assuring the right culture.

Boards and senior management need to find ways to find the true facts as to how the organization is conducting itself. Is there one culture throughout of doing the right thing or are hidden subcultures doing bad things? It is just a question of time before independent governance assessments will become the norm used by boards and senior management to protect the company and its stakeholders from a rising storm.