As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”
In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a "sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.”
According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a director’s business decisions generally qualify for protection by the “business judgment rule.” Under the business judgment rule, courts presume that directors making business decisions acted on an informed basis, in good faith, and with the honest belief that the action taken was in the best interests of the corporation. In lawsuits brought against directors brought by shareholders, courts applying the business judgment rule will determine only whether the directors making the decision (i) were free from conflicts of interest, (ii) appropriately informed themselves before taking the action, and (iii) acted after due consideration of all relevant information that was reasonably available. Under the business judgment rule, the board’s action will not subject board members to liability if the action or decision of the directors can be attributed to any rational business purpose. Directors that meet the criteria of the business judgment rule do not have to worry about having their business decisions second-guessed by a court, even where their decisions result in corporate losses.
A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?
There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.
From the Delaware cases, I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute.
Three Key Takeaways
For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.