Delaware Court of Chancery emphasises risk-based approach to oversight duty
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
By focusing on whether and how directors monitor central compliance risks, including ‘mission critical’ risks, recent Delaware case law effectively requires directors to engage in risk-based corporate governance to fulfil their fiduciary duty of oversight and has extended this duty to officers as well. This increasing judicial scrutiny of director and officer oversight has been paralleled by increasing scrutiny from enforcement authorities of compliance programmes when assessing whether and how to prosecute a corporation. Identifying, prioritising and tackling central compliance risks has never been more important to inform and focus oversight and corporate compliance programmes.
- Tools to facilitate risk-based oversight
- Periodic identification and prioritisation of risks
- Designated board committees to monitor critical risks
- Frequency of management critical-risk reporting and off-cycle reporting
- Periodic consideration by full board of critical risks
- Documentation of oversight efforts
Referenced in this article
- In re McDonald’s Corp Derivative Litigation
- In re Boeing Co Derivative Litigation
- Marchand v Barnhill
- In re Caremark International Inc Derivative Litigation
- Graham v Allis-Chalmers Mfg Co
- Teamsters Local 443 Health Servs & Ins Plan v Chou
- Holder Memorandum
- Thompson Memorandum
- Seaboard Report
- DOJ’s Evaluation of Corporate Compliance Programs (2023)
Following enforcement actions imposing corporate criminal or civil liability, shareholders often bring derivative actions alleging that the underlying compliance failures were caused by breaches by directors or officers of the fiduciary duty to monitor the affairs of the corporation. Delaware courts have traditionally dismissed such claims with some regularity. Beginning with the Delaware Supreme Court’s 2019 decision in Marchand v Barnhill(Marchand), however, and continuing with the Delaware Court of Chancery’s 2021 decision in In re The Boeing Company Derivative Litigation (In re Boeing), the Delaware courts have been more willing to allow shareholder derivative claims to proceed against corporate directors for alleged failures to monitor ‘mission critical’ risks facing their companies. Most recently, the Court of Chancery in In re McDonald’s Corp Derivative Litigation (In re McDonald’s): clarified that the duty of oversight reaches all ‘central compliance’ risks, which include but are not limited to mission critical risks; underscored the risk-based nature of this duty; and extended the same fiduciary duties owed by directors to corporate officers.
While nominally applying the standard for shareholder claims of failed director oversight first established 25 years ago in In re Caremark International Inc Derivative Litigation(Caremark), these recent decisions signal an evolution in how the Delaware courts evaluate such claims. By focusing on the nature and degree of oversight of ‘central compliance’ risks, these decisions highlight the need for active, risk-based corporate governance by directors and, now, by officers as well. Successfully discharging the duty of oversight in this context depends more than ever on the company having effective enterprise risk management and compliance programmes in which risks are regularly identified and prioritised in light of changes in laws, regulations, technology or the company’s business itself. It is perhaps no accident that the courts’ recently sharpened focus on risk-based oversight has arisen in the context of increasingly exacting scrutiny by enforcement authorities of corporate compliance programmes as part of their discretionary assessment of whether, and if so how, to charge corporations, as well as what penalties and other obligations to impose. Identifying and prioritising an enterprise’s evolving legal and compliance risks and deploying resources accordingly is thus critical to enable the board and officers to meet their fiduciary duty of oversight to shareholders and to enable the corporation to meet expectations of enforcement authorities as well.
This article briefly summarises key developments in the evolution of the fiduciary duty of oversight under Delaware law, discusses its symbiotic relationship with risk management and compliance, and offers guidance for corporate boards and officers to ensure they are effectively carrying out their duty of oversight.
The evolution of the fiduciary duty of director oversight under Delaware law
The Caremark standard
In 1996, the Delaware Court of Chancery in Caremark articulated a new standard for when directors may be held liable for breaching their fiduciary duty of oversight. In Caremark, a consolidated shareholder derivative action alleged Caremark’s directors breached their duty of oversight in connection with employee conduct that resulted in significant corporate fines from enforcement actions by state and federal authorities and federal indictments related to alleged unlawful payments to healthcare providers. The Court of Chancery was called upon to assess the fairness and reasonableness of a proposed settlement, which required the Court to consider the strength of the plaintiffs’ claim that the Caremark directors had breached their fiduciary duty of oversight.
In considering the parameters of the board’s oversight responsibilities, the Court of Chancery rejected a broad interpretation of the Delaware Supreme Court’s 1963 decision in Graham v Allis-Chalmers Mfg Co, in which the Supreme Court stated that ‘absent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists’. Noting the increasing importance of a properly informed corporate board, particularly in view of the increasing criminalisation of corporate conduct and the imposition of significant corporate fines and penalties under the then recently adopted federal Organizational Sentencing Guidelines, the Court of Chancery in Caremark defined a proactive fiduciary duty of oversight not limited to requiring director action only in response to red flags.
According to the Court of Chancery:
a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that the failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.
Acknowledging the high bar to establishing such liability, the court observed that ‘only a sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists – will establish the lack of good faith that is a necessary condition to liability’.
The Court of Chancery concluded that the proposed settlement provided only ‘modest benefits’ but was nonetheless fair and reasonable because the failure of oversight claim was ‘extremely weak’ and ‘quite likely’ would have been ‘susceptible to a motion to dismiss’. Although the Court observed that the Caremark board had ‘a functioning committee charged with overseeing corporate compliance’, the record does not indicate that the full board or any board committee was tasked specifically with oversight of the company’s compliance with healthcare laws (as compared with corporate compliance generally), or that there was any regular management reporting to the board or to a board committee about compliance with relevant healthcare laws, the violations of which gave rise to significant corporate liability. Indeed, the compliance enhancements agreed to as part of the settlement included specific, board-level engagement with and regular management reporting about these issues.
Were today’s requirement of risk-based governance evident in Marchand, In re Boeing and In re McDonald’s applied in Caremark, the court almost certainly would not have been so dismissive of the shareholders’ failure of oversight claim in assessing the reasonableness of the proposed settlement.
Marchand and oversight of mission critical risks
In 2019, over 20 years after Caremark, the Delaware Supreme Court in Marchand introduced a risk-based gloss on the duty of oversight defined in Caremark. Marchand involved a shareholder derivative claim for losses to Blue Bell, an ice cream manufacturer, arising from a listeria outbreak that resulted in three deaths and forced Blue Bell to recall its products, suspend production, lay off a third of its workforce and accept a private equity investment to address resulting liquidity issues that reduced the value of its shares. To fulfil its duty of oversight under Caremark, the Court in Marchand stated a board must ‘make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks’. The Court further observed that a board’s failure to take steps ‘to make sure it is informed of a compliance issue intrinsically critical to the company’s business operation’ would ‘support . . . an inference that the board has not made the good faith effort that Caremark requires’. The Court thus considered whether, before the listeria outbreak, the Blue Bell board tried in good faith to implement a reasonable board-level reporting and information system focused on the company’s mission critical risk of food safety.
Reversing the Court of Chancery’s dismissal of the Caremark claim, the Supreme Court observed that the complaint alleged that, before the listeria outbreak, there was: no board committee that addressed food safety; no process that required management to keep the board apprised of food safety compliance, risks or reports; no schedule for regular board consideration (eg, quarterly or semi-annually) of any food safety risks; and no evidence of any regular board-level discussion of food safety. The Supreme Court rejected the defendant directors’ arguments that corporate compliance with federal and state safety regulations, the existence of employee food safety manuals, periodic corporate compliance audits, or discretionary management reporting to the board about the company’s general operational performance, showed a good faith effort to establish a board-level information and reporting system related to food safety compliance. The necessary focus, therefore, is what the board itself has done to ensure that it is informed about key corporate risks.
Since the Delaware Supreme Court’s decision in Marchand, there has been a series of cases in which the Court of Chancery has rejected defendants’ motions to dismiss Caremark claims alleging a board-level failure to monitor allegedly mission critical corporate risks. In re Boeing is a prime recent example. As discussed further below, while the Court of Chancery in the more recent In re McDonald’s case granted the directors’ motion to dismiss, it clarified that the risk-based approach to governance is not limited only to mission critical risks, but also applies to the broader set of central compliance risks.
In re Boeing and the need for ‘rigorous oversight’ of mission critical risks
In In re Boeing, plaintiff shareholders brought derivative claims against company directors for, among other things, breach of the duty of oversight in the aftermath of two fatal plane crashes of the 737 Max and the related grounding of Boeing’s 737 Max fleet. The plaintiffs alleged oversight failures under both prongs of Caremark, namely, that the directors acted in bad faith: by failing to create an information and reporting system for the board to monitor the mission critical risk of aircraft safety before the two crashes; and by ignoring the safety red flags that the first crash raised.
Tracking the analysis in Marchand, the Court of Chancery found that the shareholders stated viable Caremark claims and thus denied the defendants’ motion to dismiss. The Court concluded that the alleged absence of structures to inform the board about the mission critical issue of aircraft safety gave rise to a reasonable inference that the directors acted in bad faith in breach of their duty of oversight. The Court found persuasive the indicia of director bad faith and laxity in oversight that the Supreme Court noted in Marchand, namely, that before the first air crash there was:
- no board committee specifically mandated to monitor aircraft safety;
- no internal system for whistleblowers or employees to bring safety concerns to the board’s attention;
- no schedule for or evidence of regular board monitoring or discussion of aircraft safety; and
- no process or protocol requiring management to keep the board regularly informed of issues related to aircraft safety.
As in Marchand, the Court rejected the notion that committee responsibility for compliance generally, facial compliance by the company with regulatory requirements, or ad hoc, discretionary management reporting to the board, sufficed to meet the board’s obligation to provide ‘rigorous oversight’ of mission critical risks.
The Court also found that the plaintiff shareholders stated a viable claim that the board failed to respond in good faith to the red flag safety issues embodied in the public reporting about the first 737 Max crash. Notably, after the first crash, the board allegedly failed to request information from management, to timely convene a mandatory meeting to discuss the crash, or to timely initiate an inquiry into the cause of the crash.
In re McDonald’s and oversight of ‘central compliance risks’
In In re McDonald’s, plaintiff shareholders brought derivative claims against the company’s directors and two of its senior officers for breach of the duty of oversight, among other claims. The action followed the resignation of the company’s CEO and the firing of its chief people officer after revelations that they each engaged in sexual misconduct and that they and the board fostered a workplace culture allowing such conduct to occur. While the plaintiffs alleged oversight failures primarily with respect to the second Caremark prong – regarding the failure to respond to red flags – the Court of Chancery clarified the scope of the mission critical risk analysis.
Before its analysis of the claims’ substance, the Court for the first time expressly extended to corporate officers the same fiduciary duties owed by corporate directors, including the Caremark duty of oversight.
Noting that both derivative plaintiffs and defendants for different reasons had since Marchand focused on the presence or absence of a mission critical risk, the Court clarified that even in Marchand, the duty of oversight was held to extend to all central compliance risks, which include, but are not limited to, the mission critical risks at issue in Marchand and In re 
Discussing the scope of the duty of oversight so understood, the Court underscored the risk-based nature of the duty given the practical limits of director and officer time and resources, stating:
Time and attention are precious commodities, and with limited supplies of each, officers and directors must make judgments about what risks to monitor. When making those decisions, officers and directors are presumed to act loyally, in good faith, and with due care (i.e., on an informed basis). Unless one of those presumptions is rebutted, the decision is protected by the business judgment rule. Outside of central compliance risks, including essential or mission critical risks, a plaintiff will have difficulty rebutting the business judgment rule where officers or directors have made a good faith decision regarding the level of monitoring resources, if any, to assign to a risk.
Finally, in the context of dismissing plaintiffs’ derivative ‘red flags’ claim, the Court of Chancery in In re McDonalds clarified the relevance of central compliance and mission critical risks compared to lower level risks in the context of director and officer responses to red flags upon learning of them. According to the Court, while directors and officers have an obligation to respond to all red flags, if one ‘concerns a central compliance risk’, it becomes ‘easier to draw an inference that a failure to respond meaningfully resulted from bad faith’. Put differently, although the level of risk presented by a red flag does not affect the existence of the duty to respond, it can affect the showing necessary at the pleading and proof stages to demonstrate that an alleged failure to respond reasonably resulted from bad faith.
The foregoing analysis of Delaware law shows the critical importance of identifying, categorising and prioritising evolving legal and regulatory risks, among others, and allocating resources accordingly, to the effective discharge by directors and officers of their duty of oversight. As discussed below, this process is equally critical to allow corporations to meet the expectations of enforcement authorities with respect to effective corporate compliance programmes.
An effective risk-based compliance programme essential
By analogy to the less well-known half of Muhammad Ali’s famous quotation, ‘Float like a butterfly, sting like a bee, the hands can’t hit what the eyes can’t see’, a board obviously cannot monitor risks it does not know about, much less do so rigorously. By scrutinising whether and to what extent directors have exercised oversight of central and mission critical risks, Marchand and the cases that have followed it effectively now require boards and officers to engage in risk-based corporate governance. In so doing, Delaware courts have tied more closely than ever the effective discharge of the duty of oversight to the corporation having effective enterprise risk management and compliance programmes that identify and prioritise evolving corporate legal and regulatory risk so that the board and officers in their respective spheres can design and implement appropriately calibrated monitoring of relevant risks and deploy resources accordingly.
The increasing judicial scrutiny of board (and now officer) oversight of key corporate risks has been paralleled by increasingly exacting scrutiny by enforcement authorities of the effectiveness of corporate compliance programmes in deciding whether and how to prosecute corporate misconduct, as well as the penalty, if any, and any additional obligations to impose in any criminal resolution. These developments underscore the symbiotic relationship between corporate governance and corporate compliance.
Since 1999, the Department of Justice has issued formal guidelines identifying the factors federal prosecutors should consider in determining whether and, if so, how business entities should be charged. Though not determinative, one factor in this discretionary calculus has consistently been the existence and effectiveness of a corporate compliance programme to detect and prevent misconduct. In the 2003 version of these guidelines, entitled ‘Principles of Federal Prosecution of Business Organizations’, the Department cited Caremark and stated that, in assessing a corporate compliance programme, prosecutors may consider ‘whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct’, including whether the company’s ‘directors established an information and reporting system . . . reasonable to provide management and the board of directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law’. Thus, just as the Caremark court grounded its delineation of a proactive duty of corporate oversight in part on the increasing criminalisation of corporate conduct and the resulting increased exposure of corporations to significant criminal fines, the Department recognised that its assessment of whether and how to prosecute a corporation could be informed in part by the effectiveness of the corporation’s system of corporate governance. An effective compliance programme evidenced and supported by effective governance thus can help corporations avoid or mitigate the risk of significant criminal liability just as effective governance informed and supported by an effective compliance programme can help avoid or mitigate the risk of director (and officer) liability.
Similar to the guidelines issued by the Department of Justice, the Securities and Exchange Commission in 2001 issued a framework for evaluating whether and, if so, to what extent, to afford lenient treatment to companies under investigation (the Seaboard Report). Though not citing Caremark, certain Seaboard factors relate to director oversight, including (1) whether and, if so, when a company’s audit committee and board of directors were fully informed of relevant misconduct, and (2) whether management or the board oversaw any internal investigation of such misconduct.
While the assessment of the effectiveness of corporate compliance programmes, including by reference to corporate governance, has been a relevant, though non-determinative, factor in the prosecution calculus of the Department of Justice and other enforcement authorities for some time, the level of scrutiny with which authorities have assessed the effectiveness of corporate compliance programmes has increased dramatically in recent years. For example, in 2021, the Department of Justice revamped an existing unit within the Fraud Section, renaming it the Corporate Enforcement, Compliance, & Policy Unit and staffing it with strategic law firm and in-house counsel hires with extensive compliance expertise.
In addition, in 2017, the Department published, and has since thrice revised, guidance on how it evaluates corporate compliance programmes. The most recent version of this guidance, published in March 2023, spans almost 20 pages and focuses in material part on whether and to what extent a company’s corporate compliance programme is risk-based in design and implementation; with respect to corporate governance, the guidance specifically asks ‘what types of information have the board of directors and senior management examined in their exercise of oversight in the area in which misconduct has occurred?’ As anyone who has had to explain a corporate compliance programme to US enforcement authorities in the last several years can attest, the level of scrutiny outlined in this guidance exists in practice as well as on paper.
In light of the foregoing developments, corporations and their governing boards and officers are challenged more than ever to have effective risk-based corporate compliance and corporate governance. Recognising that there is not a one-size-fits-all approach for either, but that approaches can and should be adapted reasonably to the facts and circumstances of individual companies in view of their size, resources and risks, the steps corporate boards and officers should consider taking to ensure they exercise appropriate oversight of relevant risks include the following:
- ensure that management conducts periodic enterprise risk assessments to identify, prioritise and calibrate accordingly with a reasoned justification the resulting allocation of resources to manage and monitor the evolving key legal, regulatory and operational risks the corporation faces;
- ensure that officers on-board as appropriate the results of periodic risk assessments and have protocols in place to learn and escalate information about such risks if they materialise;
- ensure that a board committee has been mandated expressly to monitor each risk identified as central or critical and tailor the level of oversight accordingly. Any difference in the assessed significance of the risks meriting board-level or officer scrutiny could be reflected, for example, in the frequency of committee or board meetings at which a given risk is addressed;
- ensure that a regular cadence exists for management to report information and developments relevant to identified risks to the responsible committee, including to allow the committee and the board to satisfy themselves that sufficient corporate resources are being devoted to address key risks. Relatedly, establish a protocol for off-cycle reports by management to the responsible committee of material developments related to covered risks, and ensure that certain types of risks identified in internal whistleblower hotlines are sent directly to the responsible committee or escalated promptly to the committee by management;
- establish a schedule for consideration by the full board of information and developments related to the risks identified as central to the organisation; and
- ensure that directors’ and officers’ oversight efforts and decisions with respect to monitoring the corporation’s central compliance risks and responding to red flags are properly documented.
A good faith effort to design and implement effective risk-based corporate governance and compliance will protect and serve the interests of the corporation, its governing board, its shareholders and other stakeholders.
 212 A.3d 805 (Del. 2019).
 No. 2019-0907, 2021 BL 337478 (Del. Ch. Sept. 7, 2021).
 291 A.3d 652 (Del. Ch. 2023).
 289 A.3d 343 (Del. Ch. 2023).
 698 A.2d 959 (Del. Ch. 1996).
 188 A.2d at 130.
 698 A.2d at 969–70.
 id.at 970. The Delaware Supreme Court subsequently endorsed this formulation as ‘articulat[ing] the necessary conditions predicate for director oversight liability’. Stone v Ritter, 911 A.2d 362, 370 (Del. 2006). Although this article focuses primarily on the duty to act in good faith to create a reasonable board-level information and reporting system, this duty also requires directors (and now officers as well) to monitor information generated by such a system and to respond appropriately to red flags when presented. See, eg, Stone, 911 A.2d at 370 (stating that oversight liability may arise because ‘(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention’).
 id. at 971.
 id. at 970–71.
 id. at 970.
 id. at 966.
 212 A.3d at 824.
 id. at 822.
 id. at 822, 824.
 id. at 822.
 id. at 822–23.
 See Teamsters Local 443 Health Servs & Ins Plan v Chou, No. 2019-0816, 2020 BL 320972 (Del. Ch. Aug. 24, 2020); Hughes v Xiaoming Hu, No. 2019-0112, 2020 BL 155470 (Del. Ch. Apr. 27, 2020); Inter Mktg. Grp. USA, Inc v Armstrong, No. 2017-0030, 2020 BL 516916 (Del. Ch. Jan. 31, 2020); In re Clovis Oncology, Inc Deriv Litig, No. 2017-0222, 2019 BL 373697 (Del. Ch. Oct. 1, 2019).
 2021 BL 337478 at *27.
 id. at *28-29.
 id. at *29.
 id. at *29-30.
 id. at *31-34.
 id.at *6, 28-29.
 id. at *30-31.
 id. at *32-33.
 id. at *35-36.
 289 A.3d 343 (Del. Ch. 2023); 291 A.3d 652 (Del. Ch. 2023).
 289 A.3d at 349.
 291 A.3d at 679.
 id. at 680.
 See Memorandum from Eric Holder, Deputy Attorney Gen., Dep’t of Justice, on Bringing Criminal Charges Against Corporations, to Dep’t Component Heads and U.S. Att’ys (Jun. 16, 1999), available here.
 Memorandum from Larry D. Thompson, Deputy Attorney Gen., Dep’t of Justice, on Principles of Federal Prosecution of Business Organizations, to Dep’t Component Heads and U.S. Atty’s (Jan 20, 2003). The most recent version of ‘Principles of Federal Prosecution of Business Organizations’ was published in April 2023, available here.
 Sec. Exch. Comm’n, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions (2001), available here.
 id. at 10.