A recent ruling from the Delaware Chancery Court marks the increased judicial scrutiny of the obligations of directors to fulfill their Caremark duties to oversee an effective compliance program. In the case of In re the Boeing Company Derivative Litigation,[1] the Delaware Chancery Court denied a motion to dismiss filed by defendants, the board of directors for Boeing, against plaintiff shareholders’ claims alleging failure to establish a reporting system for airplane safety and ignoring red flags about airplane safety problems related to the development of the troubled 737 MAX jet. Under a 1996 decision of the Delaware Chancery Court, In re Caremark International Inc. Derivative Litigation, a board’s directors are obligated under Delaware law to ensure that the corporation has an effective system of reporting “appropriate information” to the board in a “timely” fashion.[2] The high pleading standard identified in Caremark–that "only a sustained or systematic failure of the Board to exercise oversight[,] such as an utter failure to attempt to ensure a reasonable information and reporting system exists” constitutes a breach of duty of good faith–has made it difficult for shareholders to successfully bring claims against directors for failures relating to compliance programs. The Boeing decision demonstrates that courts are using new methods for analyzing the Caremark standard, a shift that mirrors the evolution of federal practices in the prosecution and sentencing of companies.

While Caremark articulated the required duty, it provided no guidance on how to assess whether boards were providing effective oversight over compliance programs. A ready source of guidance for assessing effective board oversight is found, however, in federal principles and law concerning criminal prosecution and sentencing of companies. In fact, the observation of the court in Caremark that directors must be mindful of a company’s compliance program was based, in part, on the Court’s acknowledgment that the federal sentencing guidelines had established significant corporate criminal penalties.[3] In 2010, those guidelines were amended to incentivize organizational self-policing “through an effective compliance and ethics program” by predicating corporate culpability in part on whether a company had a compliance program that was “reasonably designed, implemented, and enforced” to effectively prevent and detect criminal conduct.”[4]

The Justice Department’s Principles of Federal Prosecution of Business Organizations has long included the existence of an effective compliance program as one of many factors in determining corporate liability and leniency, but, recently, the Justice Department provided more detailed guidance on the questions it will ask when assessing the effectiveness of a corporate compliance program.[5] The updated 2020 guidance from the Justice Department focuses on many factors, but relevant to the Caremark duty of care, the guidance asks whether a company has ensured that employees are aware of the company’s reporting system and monitors its effectiveness. The 2020 guidance also examines whether the board has the necessary expertise among the directors to provide effective compliance oversight, and whether the board is receiving necessary information by looking at whether the compliance function has independent reporting to the board. In that regard, the guidance specifically asks if the board is apprised of internal audit findings.[6]

In the Boeing case, the corporate defendants argued that the Board apprised themselves of safety by monitoring the progress of the 737 MAX program through the FAA’s extensive certification review.[7] The Delaware Chancery Court, however, faulted the Boeing Board for failing to ensure that there was an adequate internal reporting system that would allow safety claims to rise to the Board’s attention. The Court noted that the Board should have discussed airplane safety more regularly at its meetings and should have proactively demanded that management provide it with safety reports.[8] The Chancery Court also highlighted the Boeing Board’s failure to create a committee specifically dedicated to safety – an outlier among other companies dedicated to air travel.[9] Further, the fact that Boeing operated in a highly regulated industry led the Chancery Court to admonish – rather than recognize – the Board’s attempt to defend itself by pointing to regulatory safety protocols. Particularly in the context of a highly regulated industry, the Chancery Court found that the Boeing Board should have been as focused on safety as on profits.[10]

Although the Caremark standard remains intact, the methodology the courts use to examine a board’s Caremark duties will surely continue to evolve and be informed by the expectations for board conduct that are set forth in the federal sentencing guidelines and the Justice Department's guidance. The Chancery Court’s scrutiny of the whether the Boeing Board sought to ensure it had access to safety information independent from management and had organized itself to be able to consider such safety information parallels the focus of the Justice Department’s guidance on (a) whether independent reporting channels exist between the compliance function and the board and (b) whether the board considered issues identified by compliance and internal audit. Similarly, in faulting the Boeing Board for focusing on reputation and profit in its meetings with management instead of safety, the Court, in essence, stated that the Board had failed to ensure that management understood that safety compliance was a priority for the Board.[11]

Going forward, directors can proactively seek to meet their obligations under Caremark by considering the following key areas identified by the Justice Department’s guidance for assessing the effectiveness of the corporation’s compliance program:

  1. Has the board ensured that the company has an effective compliance program that addresses its material risks?
    • Does this include a mechanism to ensure that the board is kept apprised of evolving company-specific and industry risks?
    • Is the board asking about whether sufficient resources are being provided to ensure compliance?
  2. Has the board ensured that there is a reasonable reporting system in place for alleged compliance violations or violations of law?
    • Is this system being monitored and tested for effectiveness?
    • The board should be aware of the implications of the Dodd-Frank whistleblower program and how the company would handle internal allegations that may potentially become Dodd-Frank referrals to the SEC.
  3. Is the board being briefed on material compliance issues or allegations?
    • Does the board follow up on the resolution of material allegations and ask about causes and remediation?
    • Is the board aware of any significant compliance issues or deficiencies flagged by internal (or external) auditors, and does it address those?
  4. Does the CCO have independent access and reporting to the board?
    • How often does the CCO meet independently with the board or a member of the board?
    • How often is the board briefed on the operation of the compliance program?
  5. Is the board ensuring that management is setting the right “tone at the top” for compliance throughout the organization?
    • Does the board regularly and proactively ask management to demonstrate steps it is taking to ensure the compliance is a priority throughout the organization?

As the Boeing case makes clear, the Caremark standard will increasingly be informed, at least implicitly, by how the board addresses these questions regarding the compliance program in its oversight role and in its meetings with management.