A significant June 2019 decision by the Delaware Supreme Court interpreting the Caremark doctrine that limits director liability for an oversight failure to “utter failure to attempt to assure a reasonable information and reporting system exists” prompts this update.
The Court said that in order to “satisfy their duty of loyalty,” “directors must make a good faith effort to implement an oversight system and then monitor it” themselves, because the existence of management- level compliance programs alone is not enough for the directors to avoid Caremark exposure.
The Delaware Supreme Court reversed the Delaware Court of Chancery’s dismissal of a Caremark claim that arose out of the Blue Bell Creameries’ (“Blue Bell”) ice cream listeria outbreak where there was an alleged pattern of disregarded food-safety warnings. The Delaware Supreme Court’s opinion in this closely watched case provides useful guidance to directors about the proper role of the board in overseeing risk management and compliance programs.
Blue Bell’s former CEO, Paul Kruse, was separately indicted and charged in seven (7) separate counts for conspiracy and wire fraud for concealing from customers information known to the company about the listeria contamination. Each count holds a maximum sentence of twenty (20) years in prison and a maximum fine of $250,000.
His case was later dismissed (but may return) because he was not charged by grand jury indictment.
Breach of Duty
Caremark defines a director’s duty of care in the oversight context and is at the very least a label attached to what all now agree is a necessary and proper subject of attention for every board of directors: corporate compliance as a function within the broader task of enterprise risk management. Caremark defined duty of care as “the care an ordinarily prudent person in a like position would exercise under similar circumstances”.
The Caremark decision built a high wall for plaintiffs to scale in asserting a board’s failure to comply with duty of care and loyalty standards. A landmark case before the Delaware courts in 1996, the decision written by the Court of Chancery of Delaware for In re Caremark International Inc. clarifies the board’s duties in relation to its oversight activities. The court outlined what plaintiffs must prove when claiming that directors breached their duties, notably that:
- Either the directors knew or should have known that violations of the law were occurring; and, in either event,
- The directors took no steps in good faith to prevent or remedy that situation; and
- Such failure resulted in the losses alleged in the complaint.
Recently, the Delaware Supreme Court overturned and remanded a decision by the Chancery Court, ruling that a Plaintiff had indeed scaled the Caremark standard in their complaint. The case, See Marchand v. Barnhill, No. 533, 2018 (Del. June 18, 2019), involved the directors and officers of Blue Bell Creameries’ (“Blue Bell”) founded in 1907, the creamery produces a product lineup that includes Blue Bell Ice Cream, Light Ice Cream, No Sugar Added Ice Cream, Sherbet and frozen snacks that are manufactured and distributed to supermarkets and food stores through Blue Bell’s direct store delivery program.
On April 20, 2015, Blue Bell voluntarily recalled all of their products from the supermarket and food store shelves and shut down all production operations after the Centers for Disease Control and Prevention (“CDC”) and the U.S. Food and Drug Administration (“FDA”) and several state health agencies found evidence that linked listeriosis (“listeria”) to Blue Bell Creameries products. Listeria is a life-threatening infection caused by eating food contaminated with the bacterium (germ) Listeria monocytogenes. The germ infected ten (10) people with several strains of Listeria and resulted in the reported deaths of three (3) people. As the organization’s revenues dropped precipitously, it terminated more than half of its workforce and ceased paying distributions to its limited partners. Ultimately, Blue Bell was fined by government authorities for poor safety policies and practices.
Blue Bell suffered losses because, after the operational shutdown, Blue Bell suffered a liquidity crisis that forced it to accept a dilutive private equity investment. The plaintiffs in this case brought a complaint that two key executives (President & CEO and the Vice President of Operations) and the board breached its fiduciary duties.
The complaint alleges the President and CEO and the Vice President of Operations
breached their duties of care and loyalty by knowingly disregarding contamination
risks and failing to oversee the safety of Blue Bell’s food-making operations, and
that the directors breached their duty of loyalty under Caremark.
The court was compelled to decide in the plaintiff’s favor due to evidence of the simplicity of the organization’s business model; the industry-specific risk of food safety; the lack of board oversight of food safety issues; and the absence of protocols by which the board expected to be advised of developments in this risk area.
It was concerning to the court that when “yellow and red flags about food safety were presented to management, there was no equivalent reporting to the board and the board was not presented with any material information about food safety” during the critical period leading up to the three deaths. In the court’s view, these facts created “a reasonable inference that the directors consciously failed to attempt to assure a reasonable information and reporting system exist[ed].”
The Caremark standard is burdensome for the plaintiffs’ bar to overcome. Indeed, it was stated in a footnote of the Marchand v. Barnhill ruling that “[under Delaware] law, director liability based on the duty of oversight is possibly the most difficult theory… upon which a plaintiff might hope to win a judgment.”
The key Delaware Supreme Court determinations, both fact-driven, were:
- Independence. The Supreme Court held that one director, viewed by the Court of Chancery as independent, was not independent based on the allegations in the complaint. As a result, the court found that a majority of the board was not independent and disinterested for purposes of the board’s consideration of a stockholder demand to file a lawsuit against directors and officers.
- Oversight. For purposes of denying a motion to dismiss by the organization, the facts alleged by the plaintiffs were sufficient to satisfy the high Caremark standard for establishing that a board breached its duty of loyalty by failing to make a good faith effort to oversee a material risk area, thus demonstrating bad faith.
Some Guidance for Directors
Marchand is a noteworthy decision, both because it illustrates the outer bounds of directors’ oversight duties and because it represents a rare instance of prospective Caremark liability.
The specific deficiencies at Blue Bell listed by the Court serve as a helpful guide to the minimum best practices under Delaware law: a board should consider
- Dedicating a committee to its main compliance risks;
- Establishing protocols requiring management to keep it apprised of compliance practices, risks, and reports;
- Setting a schedule to assess its main compliance risks on a regular basis;
- Formulating procedures for the communication of red or yellow flags to the board and memorializing the associated discussions in board minutes; and,
- Arranging for and documenting regular discussions of compliance risks at board meetings.
Review Your Public Filings
Given that the risk factors listed in Form 10-K generally represent the organization’s core areas of concern, directors should review their organization’s recent public filings and evaluate the organization has an adequate board-level oversight process in place to address relevant risk factors.
Monitoring and reporting systems
A board-level compliance monitoring system directed at and overseeing the organization’s central compliance risks must be in place. The Court made clear that, where appropriate board-level oversight systems exist, Caremark claims generally fail. The compliance system must be implemented in good faith, must be governed by appropriate procedures, and must be tailored to the organization’s business and its core compliance risks.
Compliance risk is the threat posed to an organization’s financial, organizational or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice. To understand risk exposure, many organizations should review and improve upon or implement a comprehensive risk assessment process to fully incorporate compliance risk exposure. The assessment should be performed by subject matter experts along with appropriate business and functional personnel in order to achieve successful results
Never truncate the oversight process by merely listing risks.
Align the board’s oversight and risk mitigation efforts with the organization’s most significant risks, given its strategy and business model. Listing the organization’s risks or documenting them in a heat map from time to time but failing to identify key risk indicators, assign ownership and implement mitigation efforts falls short of effective oversight. A well conducted risk assessment will identify and prioritize the most critical risks and enable the assignment of resources to effectively and efficiently mitigate these top risks.
Allow time on the board agenda for risk oversight, and set risk escalation and monitoring protocols.
Executives responsible for managing risk should be positioned to succeed with policies, processes, reporting, and systems appropriate to the industry. Risk management issues should be discussed regularly. In understanding who is responsible for the key risks, the broad strokes of the risk responses in place, and the nature of arising issues, the board should ask questions to satisfy itself that mission-critical matters are escalated to their attention in a timely manner,especially those related to compliance.
Pay attention to culture.
Organizational culture and performance incentives were highlighted as areas of concern in the case against Blue Bell because it was inexplicable to stakeholders that management did not inform the board of the matters in question. The board must have confidence that management will act promptly to inform it when mission-critical issues of any nature arise. Setting specific and clear expectations of management and risk owners who are tied to mission-critical risks, and including relevant topics at regularly scheduled meetings will help the board attain that confidence and nurture a culture of trust, openness, transparency and timely communications about emerging problems. Companies are encouraged to conduct cultural assessments to help identify risk culture, levels of transparency for reporting concerns and ability to promptly respond to complaints or concerns
Delineate full board and standing committee roles.
The complaint against Blue Bell Creameries alleges that, despite the importance of food safety, the board had no committee overseeing it, no full board-level process to address it, and no protocol by which the board expected to be advised of developments relating to it. When delegating responsibilities to its committees, the full board should ensure the appropriate committee covers the key risks—whether it currently exists or has to be created and newly chartered—and that information flows are sufficient to apprise the full board of critical matters.
Maintain minutes concerning critical risk matters.
According to the court, “minutes from the board’s […] meetings are bereft of reports on the listeria issues […] [and] revealed no evidence that these were disclosed to the board.” The court’s findings suggest an expectation that management will escalate mission-critical matters to the board on a timely basis, that the board will set protocols for such escalation, and that there will be evidence in the minutes that such matters were discussed by the board. It was troubling to the court that the board left the organization’s response to the listeria outbreak to management instead of holding more frequent emergency board meetings to provide ongoing updates to board members.
The Blue Bell Creameries case is based on unique facts related to food safety and compliance matters. Nonetheless, the court’s decision might be more than a metaphorical “shot across the bow” and a real warning for boards to ensure their risk oversight processes meets or exceeds fiduciary standards and takes into account the unique regulatory demands of the industry.
The Delaware Chancery Court’s decision in In re Caremark has greatly influenced the growing field of Compliance as a legal subject and field of practice over the past 20 years. That being said, having active and engaged board oversight in the areas of risk and compliance is a must!
While the Delaware case sends a cautionary message to directors, the DOJ memorandum on the Evaluation of Corporate Compliance Programs provides guidance for directors as they work to fulfill their oversight responsibilities.
I welcome your thoughts and comments.
About 48 million people in the U.S. (1 in 6) get sick, 128,000 are hospitalized, and 3,000 die each year from foodborne diseases, according to recent data from the Centers for Disease Control and Prevention. This is a significant public health burden that is largely preventable.
The Food Safety & Modernization Act (FSMA) is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. Such acts, while not likely to occur, could cause illness, death, economic disruption of the food supply absent mitigation strategies. Rather than targeting specific foods or hazards, this rule requires mitigation (risk-reducing) strategies for processes in certain registered food facilities.
This rule applies to both domestic and foreign companies that are required to register with the FDA as food facilities under the Federal Food, Drug, and Cosmetic (FD&C) Act.
This rule is designed to primarily cover large companies whose products reach many people, exempting smaller companies. There are 3,400 covered firms that operate 9,800 food facilities.
DOJ, Harvard Law School, NACD