As corporations are continually faced with regulatory and governance challenges, coupled with requirements imposed by the Sarbanes-Oxley and the Dodd-Frank Acts, corporate boards are being held increasingly accountable for alleged oversight failures by regulators (through enforcement actions) and shareholders (through litigation). Though all directors are aware of the fiduciary duties of care and loyalty and the protections of the business judgment rule, "a director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances, may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards." In re Caremark International, Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). Thus, boards are essentially being asked to become "corporate CSI." Without the high-labs and nifty gadgets provided their television counterparts, they must sift through what has happened with the hope of preventing it from happening again.
Under Caremark and its progeny, a board may breach its duties by failing to work with management to:
- Implement a monitoring, compliance and risk management program
- Oversee and test the monitoring, compliance and risk management program
- Investigate possible violations once the board has actual or constructive notice of compliance and risk management issues (through whistle-blowers, formal and informal complaints, regulatory inquiries, etc.)
In oday's environment almost every company has some form of monitoring, compliance, and/or risk management program – though the scope of what such programs must cover gets bigger every day through increased cybersecurity, vendor management, and foreign practices regulations (to name just a few). However, many boards must develop better investigation protocols to fully discharge their fiduciary duties.
Generally, an investigation is an appropriate response to, among other things:
- Government investigations and enforcement actions
- Allegations of employee or company wrongdoing
- Whistle-blower allegations
- A lawsuit against the company
Critically, investigations should begin as soon as possible after a triggering event. And – while an internal legal or compliance department, at the direction of the board, can undertake such investigations – for large, complex, and/or high-profile situations, internal investigations are best handled by independent, outside counsel.
First, and, if for no other reason, use of outside counsel can help cement the attorney-client privilege; protecting critical and confidential information and analysis from discovery. Next – and equally as important, but often over-looked – engaging outside counsel with other advisors can help buttress invocation of the business judgment rule. Once on notice of compliance and/or risk management issues (either constructively or actually), if the board conducts a proper internal investigation and determines in good faith no further action is warranted, the business judgment rule should protect the board's decision. However, if there is no formal process and/or only a cursory internal process is utilized, the business judgment rule protection may not apply as "the presumption created by the business judgment rule can be rebutted only by affirmative allegations of facts which, if proven, would establish fraud, bad faith, overreaching or an unreasonable failure to investigate material facts.” Berg & Berg Enterprises v. Boyle, 178 Cal. App. 4th 1020, 1046. In addition to privilege and expertise considerations, from a pure optics perspective, engaging outside counsel to conduct high-stakes investigations not only provides attorney-client privilege protection, but it is also concrete indicia of a good-faith investigation; creating a shield for boards and an obstacle for litigants to overcome.
As boards are asked to take on more corporate investigative responsibility, to truly protect themselves and their companies, they should engage the corporate equivalent of CSI tools: experienced outside counsel and outside advisors that can utilize the attorney-client privilege and help trigger the protections of the business judgment rule.