Duty of Oversight, Part II
Today let’s take a closer look at that Delaware Chancery Court decision from last week that established a “duty of oversight” for corporate officers. It’s another evolutionary step in the oversight of corporate culture, which is always something corporate compliance and audit professionals need to watch closely.
The decision involved the former head of HR for McDonalds, David Fairhurst, now being sued by shareholders for his complicity in the toxic, sexually harassing culture that existed in McDonalds’ corporate offices in the late 2010s. Fairhurst argued that the case should be dismissed because only board directors have a duty of oversight. In a groundbreaking decision last week, the court’s vice-chancellor ruled that corporate officers also have a duty of oversight and that the case against Fairhurst can proceed.
Specifically, judge Travis Laster said this:
This decision clarifies that corporate officers owe a duty of oversight … [Fairhurst] had an obligation to make a good faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO and the board, and he could not consciously ignore red flags indicating that the corporation was going to suffer harm.
For compliance officers, the immediate question is how a similar duty of oversight could extend to you. That is, what constitutes a good-faith effort to implement information systems that give you insights about compliance risks? What duties do you have to address red flags that might suggest the corporation was going to suffer harm from compliance violations?
For audit executives, the immediate question is whether those information systems work effectively across the whole enterprise. In his ruling, Laster said each officer has a duty of oversight for his or her area of responsibility. That means a large enterprise might have multiple officers who need multiple systems relaying information about risk. The board will want to know that all such systems exist and are working; internal audit teams will be the ones providing that assurance.
Duty of Oversight for Compliance Officers
We should be clear that Laster’s ruling is landmark only because he is the first Delaware Chancery judge to say explicitly that corporate officers have a duty of oversight. In truth, Delaware corporate law has been slouching toward that conclusion for many years. Compliance officers still have two immediate issues here.
First, when are you actually a corporate officer? Because lots of you have the title “chief compliance officer” but that’s not always the same as being a top-level corporate officer. For example, the CCO rarely appears in the proxy statement alongside usual suspects such as the CEO, CFO, and general counsel. You might report to the general counsel, or hold the title of “CCO and deputy general counsel” — which implies that the GC is the corporate officer with the duty of oversight, because he or she is the boss, not you. Plenty of people who are the top compliance executive at their company don’t have the words “chief” or “officer” in their title at all. What about them?
Laster’s ruling moonwalks past those questions, assuming that the corporation has a chief compliance officer co-equal to other corporate officers. He then backs into the idea that CCOs obviously do have a duty of oversight while shooting down Fairhurst’s argument that only directors have such duty:
It would seem hard to argue that, simply by virtue of being an officer, the chief compliance officer could not owe a duty of oversight. That, however, is the logical implication of Fairhurst’s position that only directors can owe a duty of oversight.
Flip those two sentences around. If Fairhurst’s argument that only directors have a duty of oversight is hogwash, then simply by virtue of being an officer, the chief compliance officer has a duty of oversight. That’s what the judge is saying.
Then comes the second issue: what, exactly, are compliance officers supposed to oversee? Because Laster makes clear that almost all officers have a duty confined to their specific areas of responsibility: the CFO is responsible for financial oversight, the general counsel for legal oversight, the executive in charge of sales and marketing is responsible for those fields, and so forth.
Judge Laster identifies only two exceptions to this principle. One is the CEO. The other is the compliance officer.
You can see the logic there: the CEO is in charge of all things at the corporation; and the compliance officer is in charge of compliance risks — which can emerge anywhere within the enterprise. That point needs to be the compliance officer’s North Star as you design all those reasonable information systems we mentioned earlier.
Clearly one example of an enterprise-wide information system for compliance officers would be the internal whistleblower hotline. The more important question is what other systems you should build. What would pass muster as a reasonable information system for third-party risks? How about information on disciplinary actions, so you can assure a clear tone from the top on, say, employee use of ephemeral messaging systems?
We could spin up questions like that all day long.
What’s the Real Risk Here?
That’s an important question for compliance officers to remember, too. As much as we’re all uneasy these days with the specter of increased personal liability for compliance failures, I’m not sure that Laster’s ruling is a quantum leap forward in liability risk. He even reminds everyone of that with these words:
Another important question is the standard of liability for officers. As with directors, officers only will be liable for violations of the duty of oversight if a plaintiff can prove that they acted in bad faith and hence disloyally.
Proving that CCOs acted in bad faith is going to be a high bar, because most compliance officers are indeed good, ethical people. A compliance officer who is overworked, under-resourced, and struggling is not the same as someone engaging in disloyal, bad-faith conduct.
Let’s go back to Fairhurst from McDonalds for a moment. He’s at risk for personal liability because he was a head of HR, ostensibly the person in charge of reducing sexual harassment at the company — and himself accused of sexual harassment. If an executive is committing the misconduct in question, it’s a safe assumption that he’s not taking his duty to prevent such misconduct too seriously.
I don’t see many compliance officers engaging in similar dereliction of duty. I have little sympathy for those who do.
Regardless, Laster’s ruling has opened a fascinating can of worms for compliance officers, audit executives (we’ll get to the audit folks in another post, I promise!), and board directors. We’ll need to stare into it and contemplate those worms for a long while.