In the recent Citigroup decision,[1] the first to assess director responsibilities in the current financial crisis, the Delaware Chancery Court affirmed Citigroup's board of directors' business judgment in managing the risks involving Citigroup's financial exposure to the subprime mortgage market. The court refused to "second guess" the soundness of the board's decisions, instead according deference to judgments made in good faith and based upon reasonable information.[2]

Plaintiffs alleged that the directors ignored certain "red flag" warning signs[3] that should have put them on notice of the severity of the business risks of investing in subprime assets. Plaintiffs asserted that the directors' decisions caused large subprime-related losses. In consciously ignoring these warning signs, plaintiffs alleged that the directors breached their fiduciary duty to properly monitor and manage the risks from subprime mortgage securities. In short, plaintiffs alleged a failure of oversight that should give rise to personal director liability. Plaintiffs couched their claim as a failure to exercise oversight because, under Delaware law, proof of such claim would be a breach of a fiduciary duty of loyalty, which would not be protected under Citigroup's charter provision exculpating directors from personal liability for violations of the duty of care.

The Chancery Court rejected the failure-of-oversight claim.[4] Oversight liability requires a showing that directors (i) "knew" they were not discharging their fiduciary obligations or (ii) demonstrated a "conscious" disregard for their responsibilities, such as by failing to act in the face of a known duty to act. A showing of "bad faith" is a necessary condition to director oversight liability.

The Chancery Court found that the warning signs alleged by plaintiffs are not evidence that the directors consciously disregarded their duties or otherwise acted in bad faith. After concluding that the "red flags" amounted to little more than public documentation of the worsening conditions in the subprime mortgage market, the Chancery Court stated that at most the warning signs are evidence that the directors made bad business decisions. However, to impose oversight liability on directors for failure to monitor business risks would involve courts in conducting hindsight evaluations of decisions at the heart of the business judgment of directors. The Chancery Court was emphatic that "[o]versight duties under Delaware law are not designed to subject directors, even expert directors, to personal liability for failure to predict the future and to properly evaluate business risk."[5]

Director oversight duties were defined in the seminal Caremark case.[6] In that case, the Chancery Court deferred to the board of directors' business judgment in the discharge of its compliance responsibilities. The directors avoided failure-of-oversight liability because the company had implemented an information and reporting system that assured directors that appropriate information about fraud and other wrongdoing would come to their attention in a timely manner so that they could act to prevent losses to the company. The existence of such information and reporting system was not contested by plaintiffs in the Citigroup case.

Prudent Director Conduct

The following is a template of prudent director conduct that should protect business judgments from failure-of-oversight liability.

  • Directors' role should be oversight, not management.
  • In performing oversight, directors should exercise diligence in seeking information essential to understanding the risks to the business. If necessary, directors should seek views outside of management (e.g., shareholders and employees)
  • Directors should ask management tough questions and have a healthy degree of skepticism rather than automatically deferring to management's point of view -- they must be aggressive watchdogs. This certainly should be the rule when it comes to financial accounting and executive compensation matters.
  • Directors should bring in consultants if they have difficulty understanding complex business plans and proposals.
  • Directors should hold executive sessions if they feel management's presence inhibits free deliberation.
  • Directors should oversee management's assessment and handling of strategic, financial, operational, and compliance risks. Oversight requires assurance of strong internal systems and controls rather than simply relying on external evaluations (e.g., over-reliance on rating agency valuations).
  • Directors should be periodically briefed by management on the compliance threats to the organization and the corrective steps being taken to address those risks. For example, money laundering, and data protection and security issues are major compliance threats.
  • Directors should respond quickly to complaints related to accounting controls received through the Audit Committee complaint process.
  • Directors should instruct management to ensure that a crisis management plan is in place.
  • Directors should instruct management to ensure that strong whistleblower protections are in place to protect from retaliation employees who lawfully report compliance violations
  • Directors should instruct management to ensure that a records management policy is in place that covers paper and electronically stored records, including audit working papers.
  • Directors should have detailed knowledge of the profiles of the senior management team. Directors should be particularly attuned to the "tone at the top" set by senior management.
  • Directors should ensure that fellow directors are well-qualified persons of integrity. Directors should engage in periodic self-assessment and evaluation.

If directors implement the steps outlined above, their business judgments likely will be protected from failure-of-oversight attacks. The Citigroup decision provides ample reason for renewed vigilance in assuring that monitoring systems are in place to detect fraud and other wrongdoing.