Managing Caremark Risks: Adapting Oversight to Evolving Case Law and Regulations

Banner artwork by Gajus / Shutterstock.com

---

The past half decade has witnessed a revival in Delaware Caremark claims alleging failures to ensure adequate information and reporting systems related to important sources of corporate risk. While Delaware courts have continued to impose significant limits on such claims, recent case law has suggested the potential expansion of the universe of risks subject to Caremark duties, a trend that may be further driven by the proliferation of disclosure, due diligence, and other regulations.

Although the Delaware Court of Chancery’s 1996 Caremark decision established the potential for director liability for failure to establish adequate risk oversight systems, for over two decades following this decision Delaware courts proved reluctant to entertain what the Caremark court described as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” The Delaware Supreme Court’s 2019 Marchand decision, which allowed such a claim to survive a motion to dismiss, signaled a potential renewed openness to oversight claims, and was followed by several other examples of Delaware courts entertaining Caremark cases.

What are “mission critical” risks?

In Caremark, the court held that directors may be liable under a duty of loyalty theory for acting in bad faith by failing either:

Significantly, as a duty of loyalty claim, Caremark defendants cannot rely on duty of care business judgment rule defenses or the recent expansion of Delaware law that allows a corporation to provide for officer exculpation from personal liability for monetary damages in connection with certain breaches of their fiduciary duties. In addition, Caremark defendants are also not protected by indemnification provisions in most circumstances, and directors and officers insurance may provide imperfect protection due to common policy limitations.

In Marchand the court allowed plaintiffs to pursue a prong 1 claim in connection with an ice cream listeria outbreak, which led to multiple customer deaths, alleging that the board and management of Blue Bell Creameries had failed to establish adequate food-safety oversight, including a lack of board committee responsibility or regular processes for management-board reporting regarding food-safety risk.

The Marchand court emphasized the core Caremark principle that claims must allege inadequate oversight related to a central compliance risk, which includes clearly “mission critical” risks. In this case, this principle was straightforwardly satisfied insofar as food safety risk intuitively goes to the heart of Blue Bell’s business viability. Following Marchand, the Court of Chancery has allowed several other prongs 1 and 2 Caremark claims to proceed, including:

In all these cases, the relevant risks were both regulatory and related to “intrinsically” and intuitively critical business matters, such as financial statement integrity, or risks directly linked to a company’s core business, such as aircraft safety or compliance with drug safety and clinical trial regulations.

In the wake of Marchand, the courts have stated that, for risks involving “mission critical operations” that are externally regulated, the board must “more rigorously” exercise its oversight duties. While these post-Marchand cases indicate a renewed viability of Caremark claims, they also indicate that, where risks do not involve aspects of a company’s business that are both “essential and mission critical” and “externally regulated,” the courts could be less likely to allow prong 1 claims to proceed past the dismissal stage.

Even where a prong 1 claim alleges inadequate oversight of a “mission critical" or “central compliance” risk, to succeed, such a claim must be based on more than conclusory allegations or inferences. In the July 2024 Centene case, the Court of Chancery dismissed a Caremark claim against the directors of a Medicare managed care organization after the company paid over $500 million to settle claims relating to an illegal scheme by certain officers to increase incentive-based compensation by inaccurately reporting data. Among other things, the court concluded that the plaintiff’s conclusory allegations failed to establish that a majority of the directors “knew” that the company lacked an adequate compliance system and failed to take remedial action because the plaintiff “infer[red] that the [committee responsible for with monitoring compliance risk] shared [the] deficiencies with the Board,” which then oversaw compliance improvements.

In the wake of Marchand, the courts have stated that, for risks involving mission critical operations that are externally regulated, the board must more rigorously exercise its oversight duties.

Walmart and McDonald’s: Important, but not foundational, compliance risks?

While cases such as Marchand and Boeing suggest a narrow universe of risks directly linked to a Company’s core business, substantial ambiguity remains as to the standards for defining the risk categories that trigger Caremark duties.

Compare the 2021 FedEx case, where the court concluded that illegal cigarette shipments constituting “an infinitesimal fraction” of the company’s yearly business did not involve "mission critical” risks, with the recent Walmart and McDonald’s cases that suggest that Caremark risks may extend beyond such foundationally obvious matters as plane safety for an airplane company. Walmart’s opioid compliance policies or McDonald’s oversight of sexual harassment matters lack the obvious centrality to each company’s core business as in the above-discussed post-Marchand cases.

Walmart is a highly diversified business with far less concentrated regulatory risk than a monoline ice cream company, and workforce practices have less acute business-specific salience for McDonald’s than the risks at issue in cases such as Boeing or Clovis Oncology. In adopting more expansive understandings of Caremark risks, the courts in Walmart and McDonald’s focused on the concept of “central compliance risks” as separate from “mission critical” risks. The courts explored factual bases that could result in a risk that does not “intuitively register[] as a central compliance risk” being characterized as such, with the McDonald’s court looking at statements in the company’s policies, risk assessments, and corporate publicity regarding the importance of “respectful workplaces” to the company’s business.

The Delaware Supreme Court’s December 2023 decision in AmerisourceBergen also partially fits within this line of “compliance risk” cases. As in Walmart, this case involved regulatory compliance related to opioid sales and distribution. As a drug wholesale business, such compliance matters are undoubtedly more central to the company’s operations than to Walmart and the company incurred several billion in settlements; however, as a diversified business with hundreds of billions in revenue, the corporate trauma involved was arguably much less acute and “mission critical” than in cases such as Marchand or Clovis Oncology. Instead, the central contention in the earlier Court of Chancery’s opinion and the Delaware Supreme Court’s reversal, was the existence of regulatory non-compliance. Dismissed Caremark claims in In re ProAssurance Deriv. Litig. (October 2023), Conte v. Greenberg (Skechers) (February 2024), and IMG Holding LLC v. Dimon (JP Morgan) (April 2024) also partially focused on the absence of regulatory violations in claims that otherwise did not involve “mission critical” traumas.

In addition to highlighting the potential application of Caremark claims to a broader range of risk topics, these cases point to the role of external and internal corporate statements, including potentially in ESG publicity or internal compliance materials, in defining what counts as “critical” to a business.

As emphasized by the Walmart court, not all “central compliance risks” will intuitively register as such based on their “inherent nature,” and courts will need to consider more ambiguous cases, recognizing that risks, citing cybersecurity as an example, “evolve over time.” While courts may defer to board and management judgements in such ambiguous cases, contrary company statements regarding risk priorities may also be instructive.

While courts may defer to board and management judgements in such ambiguous cases, contrary company statements regarding risk priorities may also be instructive.

Reasserting the high bar

While cases such as Walmart and McDonald’s signal a more expansive doctrine, Delaware courts continue to defend the fuzzy boundary between Caremark and ordinary “business risks.”

In December 2023, the Court of Chancery granted a motion to dismiss in Segway Inc. v. Cai, which involved claims that Segway’s former president had exercised insufficient oversight resulting in incorrect accounts receivable recordkeeping and related issues, but not allegations of wrongdoing or ignored “red flags.” The court emphasized that Caremark is “not a tool to hold fiduciaries liable for everyday business problems” and must involve an “utter failure” to implement an oversight system or a bad faith disregard for the law that “gives rise to a corporate trauma.”

In separate February 2024 decisions, the Court of Chancery also dismissed Caremark claims alleging that Walgreens and Skechers directors, respectively, ignored red flags related to systemic overfilling of insulin pens and related overbilling, in the case of Walgreens, and insufficient oversight of executive corporate jet usage in the case of Skechers. As in Segway, the courts in these cases questioned the magnitude of corporate trauma, with the Walgreens court, for example, noting that billing errors related to a single product is an issue “well beneath the board’s typical purview.”

While Segway, Walgreens and Skechers do not articulate a clear standard for the boundaries of Caremark risks, it is a helpful reminder that the post-Marchand cases do not give rise to liability for the mere mismanagement of generic business issues. In other words, Caremark remains a duty of loyalty, not a duty of care, standard.

Officer liability

An earlier case in the McDonald’s litigation was also significant in holding that corporate officers also owe a duty of oversight, and may thus susceptible to liability resulting from a Caremark claim. While officers will generally have more delimited areas of responsibility than boards, the extension of Caremark beyond directors may increase the universe of viable claims.

While officers will generally have more delimited areas of responsibility than boards, the extension of Caremark beyond directors may increase the universe of viable claims.

For example, in McDonald’s the court dismissed Caremark claims against the company’s directors, finding that they had established adequate oversight and took appropriate remedial action to address sexual harassment, while rejecting the dismissal of claims against the company’s head of human resources, who failed to act on red flags.

While not addressed in McDonald’s, officers’ limited areas of responsibility may actually expand the range of viable Caremark risks, insofar as courts may be more receptive to imputing bad faith to an officer’s inadequate oversight of risks central to their job function, even if such risks are less foundational to the overall business.

Similarly, McDonalds contemplates that an officer who becomes aware of a “sufficiently prominent” red flag outside of his or her area of responsibility may have a duty to report upward about the red flag event. However, in the recent Segway case, the court dismissed a Caremark claim against an officer who allegedly consciously disregarded financial discrepancies, stating that “[o]fficers’ management of day-to-day matters does not make them guarantors of negative outcomes from imperfect business decisions,” and emphasized that the McDonald’s case did not create a “lower standard for oversight claims brought against officers.”

Expanding regulations: Cybersecurity, sustainability, and beyond

Evolving regulations also may play a role in defining the scope of Caremark risks. In September 2022 the Court of Chancery dismissed a Caremark claim in Construction Industry Laborers Pension Fund v. Bingle (SolarWinds) alleging inadequate oversight of cybersecurity risk.

Recognizing that cybersecurity constituted a “mission critical” risk for a software company, the court nonetheless found that plaintiffs had failed to allege facts sufficient to infer bad faith on the part of directors, pointing to, among other things, the absence of violations of positive law.

While Marchand and the other above-discussed cases involved oversight failures linked to safety and other regulations, SolarWinds did not involve an “externally regulated” risk, but rather a “business risk” in an area merely subject to SEC and stock exchange guidance. Although SolarWinds suggests that there could be situations in which a Caremark claim premised on a bad faith failure to oversee a business risk succeeds, the court described such situations as “extreme.”

To the extent that SolarWinds indicates that claims will be difficult, if not nearly impossible, in the absence of violations of law, this naturally raises the question of whether new regulations, such as the now-effective SEC cybersecurity disclosure rules, will expand the scope of Caremark risks.

In addition to cybersecurity claims, the proliferation of climate and other sustainability disclosure regulations applicable to U.S. companies, including regulations from the SEC, California, and the European Union, may strengthen the viability of Caremark claims related to climate and other environmental risk oversight, particularly for companies in sensitive industries such as oil and gas.

Similarly, the human rights and sustainability due diligence regulations, such as the German Supply Chain Due Diligence Act, or the EU’s Corporate Sustainability Due Diligence Directive, create substantive compliance requirements related to risk identification and mitigation, that may create an even more expansive basis for Caremark claims.

Adapting to changing risks

While Caremark cases remain quite difficult to successfully plead, evolving case law and expanding regulatory obligations underline that directors and officers cannot be complacent about risk oversight duties.

Central compliance and mission critical risks are not static, and directors and officers need to continually evaluate sources of risks to account for changed circumstances and tailor their risk oversight and management programs accordingly.

In addition to evolving case law and regulations, directors and officers must be attentive to various other factors that may increase the salience of risks over time, including:

Central compliance and mission critical risks are not static, and directors and officers need to continually evaluate sources of risks to account for changed circumstances and tailor their risk oversight and management programs accordingly.

Assess your company’s risks that may fall within Caremark

Review your statements in policies, risk assessments, and corporate publicity regarding the importance and relevance of issues to your company’s business, especially ones related to foundational “critical” risks for your specific line of business and violations of law, and consider whether risks characterized of risks in internal documents and external publicity correspond to the risks prioritized by the board and senior management. To start, pay close attention to risks central to your operations, as well as the risk factors described in your SEC filings and risk assessments and mitigations contained in Task Force on Climate-Related Financial Disclosures (TCFD) disclosures in your Sustainability Report. Given McDonald’s, be sure to include key employment law matters in this review as well. 

Review your processes for overseeing those risks 

With key issues identified, make sure you have systems in place for monitoring and responding to red flags that arise. Enlist your board and c-suite by reminding them of their obligations and support them in providing oversight. As an example, for Blue Bell and other companies involved in product-related Caremark cases, this surely included better product quality control processes. 

Develop your generalized “catch-all” processes

With the potential scope of Caremark duties expanding, with either legal developments or an evolving business risk profile, taking a one-for-one approach to monitoring and responding to issues may not work. Develop your generalized processes for the breadth of risks you are responsible for. For example, make sure your anonymous reporting hotline works, develop and test your incident response processes for the breadth of issues your company faces (i.e., not only cybersecurity), and check that you implement mitigations and controls for risk found through your Enterprise Risk Management process and any distinct ESG risk review processes. 

Develop your generalized processes for the breadth of risks you are responsible for.

With such steps, you can help your board and management team stay ahead of Caremark and compliance developments as they occur.