Boards of director members (Board) face increased scrutiny of their risk oversight function and the mitigation and crisis management strategies they implement pre-crisis, both during the crisis and post-crisis. The Board's role in risk oversight has evolved substantially since September 1996, when the Delaware Chancery Court issued its In re Caremark decision setting the standard for board oversight compliance. As recently as last year, the Delaware Supreme Court issued an opinion in Marchand v. Barnhill reaffirming the Caremark decision and elaborating the established standard for Board compliance with risk oversight responsibilities. This has led to a proliferation of rulemaking related to the Board's risk oversight function. To list just a few examples, the US Securities and Exchange Commission's (SEC) rules require proxy statement disclosure of the Board's role in risk oversight and the extent of that oversight, the NYSE listing standards require New York Stock Exchange (NYSE) listed companies' audit committees to have a written charter that includes a requirement to discuss risk assessment and management policies, and Dodd-Frank requires that some financial entities and banks have a risk committee that operates under a formal written charter.
Following recent cases involving Blue Bell Creameries USA, Inc. (Blue Bell) and in light of the outbreak of the novel COVID-19 (coronavirus), this alert provides (I) a checklist for Boards and their counsel to ensure compliance with the Caremark standard and similar standards, (II) considerations for management and directors in managing the coronavirus-related risks and (III) considerations for multinational supply chains.
I. General Boards' risk oversight compliance checklist
Under the Caremark decision, the Board must "attempt in good faith to assure that a corporate information and reporting system…exists." This standard has led to a wide practice of Boards and management developing corporate compliance programs, monitoring those programs and making sure Boards stay informed regarding the status of implementation and functioning of those programs. On June 18, 2019, the Delaware Supreme Court in Marchand v. Barnhill, allowed a lawsuit to proceed after the court held that the plaintiff satisfied the high-threshold Caremark standard, stating that, after distributing ice cream tainted with a deadly listeria strain, Blue Bell's Board had breached its duty of loyalty by failing to make a good faith effort to ensure that a corporate information and reporting system existed. Facts included the Blue Bell's Board failure to implement a food safety committee, as well as its failure to discuss and identify safety issues, and its lack of an information reporting system at the Board level.
Based on the Marchand v. Barnhill's decision and its elaboration of the Caremark's standard, we recommend that counsel and their Boards take the following practical steps:
- Determine the company's critical mission and associated risks.
- Set the tone at the top. Emphasize to Boards their role in setting the tone for risk management and to personnel their role in building an efficient compliance reporting and monitoring system and culture within the company, noting that management-level compliance programs are never enough if they stand alone.
- Ensure the Board is proactive in conducting risk oversight. This means that the Board must actively ensure that it receives information relevant to its core mission and take appropriate actions, if needed.
- Create a crisis response plan that includes preventive measures to prepare the company for emergency situations. This means the Board should elaborate pre-crisis emergency guidelines, crisis management policies and post-crisis follow up to ensure the applicable risk was properly mitigated, and then take note of lessons learned during the crisis.
- Urge the Board to address issues specific to the company's line of business or industry. For example, Blue Bell's core mission is to provide ice cream to its customers, a critical component of which is ensuring the safety of its products. Thus, the Board needs to actively discuss any food and safety issues that come to its attention.
- Advise the Board to set up appropriate Board committees to address mission-critical issues. For example, Boards should create subcommittees to address specific industry-related issues that can impact the company, e.g. environmental, health and safety standards, or any other standards set by industry-specific regulations.
- Establish regular processes and protocols to keep the Board informed of the committees' efforts and compliance.
- Regularly address safety issues and mitigation protocols during Board meetings as well as reports of "yellow" and "red" flag issues. This is to show that the Board does not ignore flagged issues and swiftly address any risks.
- Document discussions and efforts related to safety issues and crisis mitigation in corporate documents, records, and books.
The Caremark and Marchand v. Barnhill decisions show that Delaware courts expect Boards to take risk oversight seriously. In addition to operational and reputational consequences, failure to comply with risk oversight requirements can lead to shareholder derivative suits and subject Board members to personal liability.
The use of outside advisers and/or independent investigators can be a great addition to internal measures to assess the appropriateness of the board oversight programs in place and the company's self-auditing.
II. Considerations for management and directors in managing coronavirus-related risks
In addition to the actions discussed above, with respect to the emerging pandemic risk of the recent coronavirus outbreak, we encourage management and directors to consider the following aspects in connection with enterprise risk management, compliance programs and risk oversight functions. SEC compliance will require companies to actively monitor the recent SEC updates regarding coronavirus and to assess the effects of the outbreak on the company's business. Companies should:
- Actively monitor the SEC's and stock exchange guidance on this topic such as the recent conditional relief on extended filing dates. The level of detail and appropriate context for such disclosures depend on a company's industry, footprint and extent of affected operations or the effect on personnel, suppliers and customers in China and other impacted areas.
- Assess the potential effects of the coronavirus on the business and evaluate whether any disclosures need to be included to address this evolving issue. As of February 28, 2020, around 606 public companies have included coronavirus-related risks in the "risk factors" section of their SEC periodic reports and prospectuses. Companies should consider adding pandemic-related risks and discussions in the company's disclosures, including in forward-looking statements, risk factors, and Management Discussion & Analysis, to the extent material.
- Regularly provide subsequent updates in future 10-Ks and 10-Qs, and avoid selective disclosures in providing updated financial guidance if the economic circumstances change due to the virus spreading. It may be important for the Board to communicate the company's assessment of the impact of coronavirus to the shareholders and investors, if any, and how the companies are responding to manage this impact. Given uncertainty over the scope of the virus' reach and its impact on global economy, companies may need to revisit, refresh, or update the previous disclosure to the extent that the prior disclosure becomes materially inaccurate. For those companies that issue guidance to investors regarding projected financials, management should take care not to inadvertently confirm or provide updated guidance (like adjusting revenue projection) with select shareholders.
- Assess how the coronavirus-related risks known only to the insiders will impact the insider trading policy. In the SEC's press release on March 4, the SEC encourages all companies and other related persons to consider their activities in light of their disclosure obligations under the federal securities laws. For example, where a company has become aware of a risk related to the coronavirus that would be material to its investors, it should exercise caution before engaging in securities transactions with the public and to take steps to prevent directors and officers (and other corporate insiders who are aware of these matters) from initiating transactions until investors have been appropriately informed about the risk.
III. Multinational supply chains in the wake of the coronavirus
For companies with supply chains, distributors, customers, or international operations in China or other geographic areas that have been impacted by the coronavirus, consider these actions:
- Have a risk monitoring and management plan in place. Designate a team to keep reporting with up-to-date details of the affected areas through the World Health Organization's (WHO) Disease Outbreak News, conduct risk assessments, plan for business disruptions to supply chains (consider locating and negotiating with alternative suppliers or planning for extra inventories), customers or distributors and working conditions.
- Review the company's contracts practice. Check the terms of existing contracts for protection, including revising the force majeure clauses where possible, or insert express infectious disease/epidemic wording into new contracts.
- Review the company's insurance program. Ensure insurance arrangements can cover virus-related cancellations or business interruptions (including travel).
- Ensure proper training and provide education on the virus for the workforce. This might include information on how the virus spreads and information on medical care; the company may also consider rotating the workforce if possible to decrease the risk of large-scale infections or shut-down (and plan for the scenario if a large segment of the workforce is affected), and how to dispel myths, fears and misconceptions. Limit nonessential travels to affected regions and ensure employees abide by these quarantine measures if they have traveled to the affected regions.
- Ensure ongoing communications with workers. Endeavor to provide updates on the outbreak and training refreshers and drills; consider establishing a written communicable illness policy and response plan that covers the coronavirus and other communicable diseases.
- Provide a safe workplace and avoid discrimination. Avoid discriminating against individuals who are disabled or perceived as disabled because they are exhibiting symptoms suggestive of having contracted coronavirus, or individuals belonging to certain races or nationalities where the virus is most prevalent.
- Audit suppliers. Review their respective work health and safety systems and policies to the extent material, especially relating to virus and disease control, ensuring they are up-to-date and appropriate, or requiring compliance with applicable company policies.
Board oversight is a critical part of the Board's fiduciary and loyalty duties. The recent case of Blue Bell and the currently developing outbreak of the coronavirus demonstrate the need for Boards and in-house counsel to exercise an increased level of scrutiny of and rigorous compliance with Boards' risk oversight programs. Boards should keep the Caremark decision, Marchand v. Barnhill, and industry best practices in mind when considering the state of their risk oversight programs, as these benchmarks help clarify the standard expected by the Delaware Chancery Court. Further, the Boards of publicly listed companies must remember to keep additional standards in mind, such as SEC regulations and NYSE/NASDAQ listing standards. Finally, counsel to Boards should, when possible, thoroughly assess existing risk oversight programs, engage with Boards to focus them on the relevant issues, ask the tough questions and take appropriate steps to address current risks.
A special thanks to law clerk Philippine Dumoulin, who works under the direct supervision of Julia Rix, for her assistance in preparing this content.