The primary role and responsibility of boards of directors is management oversight. Recent lawsuits against public company directors for oversight failures should prompt boards to consider whether their current governance structures are optimal for maximizing oversight effectiveness. It is common, but potentially problematic, for the audit committee to be tasked with all compliance oversight. This scenario can create an opportunity for a plaintiff to claim that the audit committee had insufficient resources to provide effective oversight of the compliance function. This claim may be even stronger when it relates to critical company-specific and industry-specific risks, particularly in heavily regulated industry sectors. Boards of directors should thoughtfully review their board committee structures to determine if there is sufficient management oversight of mission-critical company and industry risks and, where appropriate, consider reallocating responsibilities among various board committees, with corresponding updates to committee charters.
Avoid Overburdening the Audit Committee
Audit committees tend to have more and longer meetings than other board committees. While financial oversight is at the core of the audit committee’s mandate, it is frequently the case that audit committees are tasked with significant compliance oversight in addition to their traditional responsibilities, despite the fact that financial oversight alone is a critically important and time-consuming job. Unfortunately, given the importance and burden of financial oversight, the directors on the audit committee may have inadequate bandwidth to fully consider and address non-financial compliance issues. This could mean that potentially significant risks receive only summary review, and management presentations may lack sufficient depth for directors to adequately assess and mitigate potential risks and compliance failures.
The potential lapses in oversight that may occur when all compliance is within the remit of the audit committee have become an issue in several recent Delaware lawsuits. In the ongoing Delaware Chancery Court litigation involving the Boeing Company’s 737 MAX airplane, the court cited the following plaintiff allegations, in rejecting a motion to dismiss: “None of Boeing’s Board committees were specifically tasked with overseeing airplane safety, and every committee charter was silent as to airplane safety…. The Audit Committee was Boeing’s primary arbiter for risk and compliance.” Similarly, in a 2019 case involving Blue Bell Creameries, the Delaware Supreme Court reversed the Chancery Court’s dismissal, citing the allegation that Blue Bell “had no [board] committee overseeing food safety, no full board-level process to address food safety issues, and no protocol by which the board was expected to be
advised of food safety reports and developments.” These cases indicate how some courts are likely to consider a generalized approach to compliance oversight, and they illustrate the dangers of not assigning industry compliance oversight to a specific committee. This is particularly problematic where failures of compliance oversight pose a direct threat to a company’s reputation and commercial viability.
Reconsider Board Structure
One possible approach to updating board structure would be to divide compliance oversight responsibilities among committees by subject matter. For example, audit committees could be charged with overseeing only those risks that relate to financial matters, while the compensation committee could become a more fully developed workforce committee that takes the lead on workforce oversight issues such as those relating to unions, contractor policies, diversity and inclusion, and sexual harassment as well as executive and employee compensation matters. For its part, the nominating and corporate governance committee could provide oversight with respect to governance and other related risks.
Some boards may need—and few have in place—an industry-specific committee that has responsibility for oversight of the most significant compliance and EESG (environmental, employee, social, and governance) risks that relate directly to that particular company’s business and industry. Some boards have a health and safety committee in place already that could address many of these issues. For those that do not, an industry-specific risk committee could have the mandate to focus on core non-financial business issues such as product safety and thus would be tasked with recognizing and, where appropriate, elevating to the full board any red flags raised by executives or whistleblowers as well as considering the steps being taken by management to address and mitigate these risks.
Boards that have a risk oversight committee may already be incorporating elements of this approach. The key is to ensure that the risk committee does, in fact, address the most salient risks facing the enterprise, including legal, cyber, and EESG risks, and that the allocation of responsibilities across committees situates compliance, EESG, and business review of a given issue within one committee. All financial compliance and risk oversight would be within the remit of the audit committee; all human resources compliance and risk oversight would rest with the compensation/workforce committee; all governance compliance and risk oversight would rest with the nominating and corporate governance committee; and core consumer, product liability, and environmental compliance risk oversight with the industry or risk committee. It is particularly important for the board to review and, if needed, update committee charters so that they accurately reflect the mandate and authority of committees and to ensure that no important area of oversight is unallocated or unaccounted for. In some companies, boards of directors may decide that certain risks are so essential to the operation of the business that they should rest with the full board rather than with a committee, but in that case the board must make sure that adequate time and resources are deployed to consider such risks as well as mitigation strategies. This board-level focus could be documented in the board’s corporate governance guidelines to make clear that the entire board is exercising the oversight function with respect to specified issues or risks.
Effective execution would require expertise on the board that enables directors on this committee to evaluate a range of industry-specific risks. For example, a pharmaceutical company could have at least one or two directors who are doctors or scientists (or have other sufficient capabilities) to focus on oversight of product safety and FDA compliance. Audit committees are composed primarily of financial experts, yet the fact that a director is a financial expert does not mean that he or she is knowledgeable about other key issues such as product safety compliance, human resources, or environmental risk. The same scientist who would be a valuable addition to an industry-specific committee likely would not have the right expertise for the audit committee; yet currently, companies often have former accountants and CEOs overseeing complex risks in which they have no subject-matter expertise. Indeed, many professionals with significant industry expertise lack the financial expertise qualification for the audit committee, which can make it more difficult for them to be nominated to a board in the first place. Fortunately, a need for diversity in function and expertise corresponds with the current momentum to increase racial and gender diversity on boards. A broader approach spreads the oversight workload rationally and enables a board to use more effectively the wide range of expertise brought by directors with diverse talents and professional experience.
Distributing compliance oversight responsibilities among board committees would also allow boards to benefit from diversity in the executive management team.
Committees would have more time with a larger number of executives and thereby have greater exposure to the range of backgrounds, experience, and viewpoints within the company.
Separating compliance oversight by subject matter would enable executive officers to interact with board committees that are specifically focused on their areas and have the time and energy to consider thoughtfully any issues that are raised. This scenario can only improve oversight by helping to ensure that company policies are followed and that the board becomes aware of issues before they become crises. While it remains the case that the audit committee and the full board should approve the company’s compliance/EESG policies, and that inter-committee communication should be encouraged, empowered and involved committees are nonetheless essential. Ensuring that committees beyond the audit committee are focused on key elements of compliance would mean that these committees will have more time and ability to surface issues that need full board attention.
Employ Common-Sense Oversight
In light of the recent Delaware cases suggesting a focus on board oversight on the part of both plaintiffs and courts, boards should conduct an annual review to evaluate whether the company’s effect on its stakeholders is adequately reflected in the information that is reported to the board. Of note in the allegations made in the Boeing and Blue Bell cases is that product safety—an existential risk in terms of profitability and reputation—was not specifically an area of focus for board reporting and oversight. Similarly, corporate governance guidelines and board committee charters should be reviewed and reconsidered annually (and updated accordingly) to make sure that all relevant material risks are being appropriately addressed.
Priorities for compliance should be driven by business judgment and common sense, not by checklists or possibly outdated reporting and oversight structures. The oversight responsibility of directors was famously described by Delaware’s Chancellor Allen in the landmark Caremark case of 1996: “[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists.” This is an opportune moment for boards to consider whether structural changes would be helpful in meeting this obligation.