Corporate compliance officers have long been anxious about the prospect of personal legal liability for a failure in the compliance programs they manage. Now the Delaware Chancery Court has made that question even more murky, with a landmark ruling that corporate officers – including compliance officers – have the same “duty of oversight” as board directors, and must make good-faith efforts to manage the risks within their purview.
The ruling involves the former global head of HR for McDonalds who was in that role in the late 2010s. At the time, the company embroiled in litigation concerning an unhealthy corporate culture including allegations of sexual harassment. Unhappy shareholders sued this individual, saying they were derelict in their duty to build and maintain a respectful corporate culture. The defense said the executive was immune from that lawsuit, because under corporate law in Delaware (where most large companies are incorporated) only board directors have a duty of oversight – not corporate officers.
The judge hearing the case shot down that argument swiftly and thoroughly, ruling corporate officers do have a duty of oversight. That duty includes making a good-faith effort to build reasonable information systems to manage risks; and to report problems and risks to the board as necessary.
This case is a significant one for compliance officers, chief audit executives, and other senior executives at a large enterprise. It opens the door to unhappy shareholders suing those executives personally for some corporate scandal that happens during their tenure.
We don’t know that a flood of shareholder lawsuits against corporate officers will now follow, and even if that does happen, there’s no guarantee the shareholders would succeed – but it’s still an unsettling prospect for most corporate executives, who weren’t subject to this level of liability before.
Compliance officers are in a difficult spot
First is the question of when a compliance officer even qualifies as a “corporate officer” who would incur these heightened duties. In many cases, the answer is unclear.
For example, the person chiefly responsible for ethics and compliance at a company might have a title such as “senior director of ethics and compliance.” That person is the de facto chief compliance officer at the business – but are they truly a corporate officer, when they reside three or four rungs down on the org chart? The Delaware Chancery Court only talks about “chief compliance officers” as if all companies have an executive with that title, and the CCO is always a senior executive. The reality is much more diverse.
So, what does that mean for personal liability for those compliance officers who aren’t clearly senior executives? Right now, we don’t know.
Compliance officers should also ponder the precise duties of oversight that the Delaware Chancery Court identified. As mentioned above, there are two: building reasonable information systems to manage risks; and “not consciously ignoring red flags” indicating that the company was going to suffer harm.
These duties will be particularly tricky for compliance officers since they are in charge of compliance risks – and those risks can come from anywhere. So, compliance officers will need to make good-faith efforts to build internal reporting systems that can span across the entire enterprise.
Obviously one such system would be the internal reporting hotline. But what other information systems should a company have in place? For example, should you build sophisticated data analytics to identify outlier transactions? What alerting or escalation procedures should you have in place to bring serious allegations to the CCO’s attention immediately?
Again, the Delaware Chancery ruling doesn’t say. It only lays down the (very sensible) principle that corporate officers must make some sort of effort to gather information and understand what’s going on in their purview, but it leaves us afloat on that abstract idea. Compliance officers work in concrete details.
Also remember that second duty of “not consciously ignoring red flags.” This leaves compliance officers in yet another tricky position, because a red flag in your world typically means fraud or misconduct. So how vigorously must a compliance officer raise that red flag? Do you bring it to the board? If the board takes no action, do you then bring the matter to regulators? If the board or senior management do take action, but that action doesn’t address the root cause – has the CCO fulfilled his or her duty anyway?
Stay tuned
Again and again, we return to an unsatisfactory answer: we don’t know. The principle expressed by the court seems simple, but countless fact patterns could take that principle and tie compliance officers into knots.
We do know that making an effort matters. Compliance officers will still need to build effective compliance programs, and still take ethics and compliance violations seriously.
But for those compliance officers who feel like you’re taking punches from all sides these days, this ruling won’t ease your discomfort.
All compliance officers need a foundation of tools available to help them establish and sustain a culture of compliance. This includes whistleblower hotlines and incident management, training, policy and procedure management, and more. To learn more about how NAVEX provides the tools needed to establish a robust compliance program:
Discover the NAVEX One GRC Information System