Tim J. Leech

Recent case law developments in Delaware’s courts underscore the importance for corporate boards to monitor “mission critical” operations at their companies. These developments have important corporate governance implications, as I detailed in a September blog post (here). In the following guest post, Tim J. Leach, FCPA FCA Managing Director Risk Oversight Solutions Inc. takes a deeper look at the corporate governance implications from the recent duty of oversight/duty to monitor case law. I would like to thank Tim for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Tim’s article.

*****************************

Directors concerned about personal liability, and performance as board directors, are likely aware of U.S. case law defining director fiduciary duty of oversight. Since Delaware Caremark decision in 1996, many excellent summaries of findings of US courts in cases alleging board/director duty of oversight breaches per Caremark, and more recent decisions, have been written by lawyers.  A small sample includes:

A Director’s Duty of Oversight after Marchand in “Caremark” Case, Harvard Law School Forum on Corporate Governance, Jan 2022

Risk Management and the Board of Directors, Harvard Law School Forum on Corporate Governance, Sept 2023

Corporate Governance, Board Risk Management, and Duty to Monitor Case Law Developments, D&O Diary, Sept 2024

Theme of all three articles – boards need to pay a lot more attention to oversight of “MISSION CRITICAL OBJECTIVES/RISKS”

My personal favorite is the last one written by attorney and global D&O insurance expert Kevin LaCroix. Today’s post provides my commentary on his six recommendations to directors from a corporate governance perspective.

LaCroix lays a foundation in his opening:

“As case law has developed, the Delaware courts have identified two “prongs” that characterize the requirements of the duty of oversight. The first prong has to do with companies’ “mission critical” operations and functions, for which boards should have reporting mechanisms enabling the directors to monitor these critical operations. The second prong has to with “red flags” that should alert the boards that there are key developments that boards should be monitoring.

Risk Management

These developments have important implications for corporate boards. At a minimum, boards will want to consider what steps they should take in order to make sure that if they are hit with one of these kinds of breach of the duty of oversight claims, that they are in a position to defend themselves and to attempt to refute the claims. Even more importantly, well-advised and well-intentioned boards will want to ensure that they have mechanisms in place to monitor their companies’ “mission critical” operations and functions and to oversee their companies’ responses to “red flags” that emerge.”

His article includes six recommendations re steps boards should take.  These are replicated below, followed by my commentary on practical, real-life implementation issues/concerns based-on 40+ years working with companies around the globe.

LaCroix Recommendation #1: “First, the boards should undertake a risk assessment process, in order to make sure the board has identified the most important risks the company faces, as well as how those risks are being monitored, by management and by the board. The boards will also want to understand what processes are in place to identify emerging risks, including regulatory developments and industry changes, as well as how frequently the emerging risks are being evaluated and assessed. Timeliness and regular reporting are key considerations.”

Tim’s Commentary: Excellent advice, but not one I suspect many boards have acted on.  It doesn’t have to be complicated.  It can start with two simple questions from a board chair to the CEO:


QUESTION #1 – What are the company’s MISSION CRITICAL OBJECTIVES, our top strategic/value creation and value preservation objectives key to long term success?

QUESTION #2 – Who will be providing the board with information on risk/uncertainty re likelihood of achieving them?

It’s important to note to readers the globally accepted definition of the word “risk” is ISO definition – “effect of uncertainty on objectives”.  In US, Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines “risk” as “the possibility that events will occur and affect the achievement of objectives”.

By definition, MISSION CRITICAL RISKS are risks that could affect achievement of MISSION CRITICAL OBJECTIVES. I define MISSION CRITICAL OBJECTIVES as “top strategic/value creation and value preservation objectives”.  Objectives capable of making companies great, and those, if not achieved, can seriously erode entity value. (huge fines/sanctions/reputation damage/termination of right to do business, possible jail time for execs) 

What is not recognized by many, including most shareholders, is there is often strong resistance from CEOs to defining an entity’s MISSION CRITICAL OBJECTIVES, and reporting to boards on risk linked to them.

In my work with companies around the globe, it has been rare to find one that had previously defined their MISSION CRITICAL OBJECTIVES (“MCOs”) and shared them with the board.

To get an independent view on CEO reluctance to share MCOs and related risk with their board I asked Chat GPT 4.0 a key question:

Why is there so much management resistance to defining what a company’s MISSION CRITICAL OBJECTIVES are?

ChatGPT (responses have been truncated):

Management resistance to defining “mission-critical objectives” often stems from a few key reasons, including:

Fear of Accountability: When objectives are clearly defined as “mission-critical,” it’s easier to hold individuals and teams accountable for meeting them. Managers might fear this scrutiny and the potential fallout from failing to meet these high-stakes goals.

Avoiding Priority Constraints: Defining mission-critical objectives forces leadership to choose what really matters, often at the expense of other projects or initiatives. Many managers resist this prioritization because they want to keep options open and avoid saying “no” to certain initiatives or departments.

Strategic Ambiguity: ………

Fear of Organizational Resistance:

Lack of Clarity or Vision: …

Resource Allocation Tensions:

Short-Term vs. Long-Term Focus:

Cultural Barriers: …….

I then asked Chat GPT:

TL: What percentage of CEOs do you think are reluctant to report to their board on state of risk/uncertainty linked to MISSION CRITICAL OBECTIVES?

ChatGPT:

While specific statistics on the percentage of CEOs reluctant to report on risks linked to mission-critical objectives are hard to pinpoint, anecdotal and research-based evidence suggests that a significant proportion of CEOs show reluctance in this area. Estimates vary based on organizational culture, industry, and geographic location, but here are some considerations:

Approximate Estimates:

Conservative Estimate: Around 30-50% of CEOs may show reluctance due to cultural or structural factors.

Higher in Risk-Averse Industries: In heavily regulated or high-stakes industries like finance or healthcare, this could rise to 50-70%, as reporting risks may invite regulatory or stakeholder scrutiny.

Lower in Risk-Aware Organizations: In progressive or well-governed organizations, the figure might drop to 10-20%, where risk reporting is seen as a strategic advantage.

Boards need to try to determine where CEOs that report to them fall in the estimates Chat GPT has provided.

LaCroix recommendation #2: “Second, boards should identify and assess the systems that are in place to collect and report information related to key compliance areas, and in particular the board will want to understand the procedures for escalating important issues to the board. Relatedly, the board will want to understand the internal processes for addressing audit findings or whistleblower reports, particularly how these items are communicated to the board.”

TL Commentary:  The second question I recommend all boards ask their CEOs opens an opportunity for boards to understand, who, if anyone, will be providing them with risk status linked to MCOs, and how they have produced it.  In many companies today, even large ones with risk functions and/or internal audit, boards receive little information on risk status linked to MCOs. Most risk and internal audit functions don’t focus on assessing risk linked to MCOs, despite many claiming they focus on “top risks”.  Multiple surveys done by NCS/AICPA indicate strategic plans presented to boards for approval by CEOs often include little coverage of what was done, if anything, to complete structured risk assessments on likelihood of accomplishing them.

LaCroix recommendation #3: Third, the board will want to understand how critical business functions and operational issues are being overseen by the board and relevant committees. The board will want to understand where the ongoing responsibilities for monitoring these key business functions and operational issues reside, and in particular, determine whether there are dedicated committees responsible for overseeing key areas, as well as how frequently these committees are reporting to the full board. (With respect to this latter point, it is important to note that in both the Wells Fargo and Abbott Laboratories cases, the court considered it highly significant that the respective boards lacked specialized committees to oversee mission critical operations and functions.)

TL Commentary: Once a board has clear line of sight to the company’s MCOs, it is a relatively easy step to map each of the MCOs to board committee(s) that is/will be responsible for overseeing status of risk/uncertainty linked to them.  This step immediately generates the question of who in management, if anyone, will be reporting to the board on risk status. Be warned however, in many companies the initial mapping exercise of MCOs to board charters may suggest huge gaps.

LaCroix recommendation #4: Fourth, in light of the fact that the board is dependent on management’s actions in elevating issues and reporting on key developments, the board will want to understand the standards in place for elevating issues, as well as how frequently management will provide the board with updates on critical issues and potential concerns. Along those same lines, the board will want to assess the management’s response to key issues and developments. By the same token, the board will want to set expectations for management to escalate to the board considerations relevant to critical issues.

TL Commentary:  This step requires determining what form of risk assessment has been/will be done on each MCO, and who will do it.  This can be done very easily by creating an MCO Register that defines who has primary responsibility to assess/report on risk linked to each MCO, target level of risk assessment rigor, target level of assurance on risk status information, and process used to decide if current residual risk is acceptable and, if not, whether it warrants escalation to the board. Big risk acceptance decisions made by management should be reviewed by the board. NOTE: It may be a huge shock for many companies moving to a system where management has to make documented decisions on acceptability of risk status linked to MCOs, and then share their decision and rationale for their risk acceptance decisions with the board. In companies that have risk and/or internal audit, boards can ask for reports from CROs/CAEs on reliability/timeliness of risk status information linked to MCOs management provides, and whether risk/IA believe specific management risk acceptance calls warrant board review.

LaCroix recommendation #5: Fifth, in order to be able to substantiate the board’s efforts, directors will want to ensure that board discussion and decisions on the key risk issues are well documented in board and committee minutes. In addition, from a board governance perspective, directors should regularly review its oversight and monitoring practices and procedures, and make adjustments as necessary. The ultimate question is how the board makes sure that the directors are adequately informed about the company’s critical operations and risks.

TL Commentary:  Few boards today get risk/uncertainty status information on MCOs, so there is little practical experience re how it is presented to boards, and how board discussions/decisions re board agreement/disagreement with management’s risk acceptance decisions are documented. Great care must be taken in this area as frequently boards are made aware of specific big risks being accepted by MGMT they were not previously aware of.  Legal advice may need to be obtained on risk status linked to MCOs, particularly MCOs related to employee/public safety, product quality, legal compliance, contractual compliance, and other legally sensitive objectives.  Risk status linked to key strategic objectives, like Wells Fargo’s incredibly aggressive sales targets, TD Bank’s compliance with AML laws in the US, airplane safety at Boeing, etc. that include risks linked to possible illegality, employee/public safety, product quality, and others identified by the courts as “mission critical”.  

LaCroix recommendation #6: Sixth, boards should be particularly aware of and sensitive to “red flags” that may arise and that could indicate serious concerns and that could require additional investigation. Relatedly, the board will want to understand management’s protocols for elevating potential red flags to the board.

TL Commentary:  Excellent advice, but one that few companies today have monitoring/reporting systems in place capable of delivering reliable information to boards. This is compounded by strong evidence more than a few CEOs, even a majority of CEOs in some business sectors per Chat GPT, are reluctant/unwilling to share much information on real state of risk/uncertainty linked to MCOs with their boards.

Conclusion: Boards need to start by asking CEOs that report to them the two simple questions I recommend in this post’s introduction. Those two questions will open an opportunity to cover all of the important steps Kevin LaCroix has recommended. It’s important to recognize LaCroix has expert level knowledge on D&O insurance trends and use of insurance and indemnities to protect directors. Some day, perhaps soon, insurers may include an evaluation of how risks linked to MISSION CRITICAL OBJECTIVES are managed during D&O insurance underwriting/pricing process.

WARNING TO READERS:  the answers you get in terms of CEO receptivity to reporting on risk linked to MCOs may create additional director liability if little is done to respond to big gaps in board oversight of MISSION CRITICAL OBJECTIVES/RISKS.