​Board Risk, Caremark Duties, and Internal Audit

Proof that boards are increasingly being held responsible for reputational damage suffered by their organizations was recently reported by Agenda, which identified 25 complaints in the 12 months leading up to and including June 2019. These were complaints "filed or amended in federal court that placed some responsibility at the feet of the board for a company's reputational harm." An additional six cases were filed in the previous 12 months.

While the details vary in each case, they commonly claim oversight failures by directors. In some cases, the board didn't have a reporting mechanism to learn about certain critical risks. In others, directors appeared to have been kept in the dark.

Boards must be aware of how easily their organizations' bad behavior can be uncovered, and the speed by which that news spreads. The new catalyst? Social media. Once a problem is exposed, traditional media takes over, along with shareholders, customers, and activists, in what can easily become a loud chorus of condemnation. Lawsuits often follow.

As the article states, "dirty laundry is going to surface" and this dirty laundry can quickly produce deep reputational damage as well as significant potential liability for board members. And, it's not just bad behavior that grabs the spotlight: it can be an attempt to cover up an issue, or pass off sub-par products and services. Directors and company officers are named in a variety of issues, including securities litigation, possible U.S. Foreign Corrupt Practices Act violations, or federal regulatory enforcements.

Identifying risks associated with these behaviors can easily fall within internal audit's sweet spot. Once identified, it is critical that internal audit leaders have the proper channels to communicate these red flags to the right people. Boards must recognize the increasing jeopardy they are putting themselves in, embrace internal audit's role, and position internal audit to be regularly heard.

Lawsuits alleging directors can be liable for failures in their oversight duties were bolstered this summer by a case cited in the Agenda article involving Blue Bell Creameries. A 2015 listeria outbreak linked to three deaths caused the company to shut down production, recall all products, and later reduce its workforce by more than a third. A suit alleged senior management disregarded warnings from employees about contamination risks, and board minutes indicated directors had no system requiring reporting from management about food safety. The plaintiffs lost when the Delaware Court of Chancery in the fall of 2018 dismissed their claim that the directors breached their "Caremark duties."

Caremark duties are the result of a 1996 Delaware Chancery Court decision in the derivative action case brought by shareholders of Caremark International Inc., alleging the board of directors breached their duty of care by failing to put in place adequate internal control systems. The Caremark rule states that "a director's obligations includes a duty to attempt in good faith to assure that a corporate compliance information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards."

Ultimately, the Delaware Supreme Court reversed the chancery court decision in June, writing that there is a "reasonable inference that the Blue Bell board failed to implement any system to monitor Blue Bell's food safety performance or compliance, and thus a viable claim exists that directors breached their Caremark duties." The Delaware Supreme Court opined that "in Blue Bell's case, food safety was essential and mission critical."

A board having no system of hearing about food safety in a food production company, I have to believe, is something an internal audit function could have easily flagged.

Directors should seek internal audit's independent assurance and advice on critical issues, given this current environment of increased exposure. Meanwhile, internal audit should refocus its efforts to bring forth information, and secure more of the board's time to discuss these risks. Internal audit must be prepared, for example, to share how hotline issues are handled, or how sexual harassment issues are being ascertained, or how processes are working to provide assurance ofenvironmental, social, and governance issues.

Most importantly, internal audit must regularly link weaknesses in the organization back to strategy and objectives, and use its insights to help management in its decision-making, further proving its value.

Internal audit's opportunity is to know about the dirty laundry and provide independent assurance and advice to the board on key risks, which will allow directors to not only protect their organizations but their personal reputation as well.