Corporate compliance officers have long worried about the potential for personal liability for the failure of the compliance programs they manage. Now, a Delaware state court has ruled in a landmark ruling that corporate officers, including compliance officers, have the same “duties of oversight” as directors and must make a good-faith effort to manage risk.
The ruling involves McDonald’s former global human resources chief, who held that role in the late 2010s. At the time, the company was embroiled in a lawsuit over an unhealthy corporate culture, including allegations of sexual harassment. An unfortunate shareholder sued the individual for failing in its duty to build and maintain a respectful corporate culture. The defense argued that under corporate law in Delaware (where most large corporations are incorporated), only directors are obligated to oversee, and executive officers are not, a spokesperson said it was not covered by the lawsuit.
The judge who heard the case quickly and thoroughly dismissed the argument and ruled that the party is obligated to monitor. That obligation includes good faith efforts to establish reasonable information systems to manage risk. Report issues and risks to the Board as appropriate.
This case is important for compliance officers, chief audit officers, and other senior management at large companies. It paves the way for unfortunate shareholders to sue those executives personally for corporate scandals that occurred during their tenure.
Will this ruling lead to a series of shareholder lawsuits against corporate executives in the future? Even if a lawsuit is filed, there is no guarantee that shareholders will win.
Compliance officers are in a tough spot
The first is the question of when the Compliance Officer will qualify as a “Corporate Officer” with these high duties. The answer is often unknown.
For example, a company’s chief ethics and compliance officer may have a title such as “Senior Director of Ethics and Compliance.” That person is the de facto chief compliance officer of the company, but if they are three or four steps down the organizational chart, are they really officers of the company?
So what does personal responsibility mean for compliance officers who are clearly not senior management?
Compliance officers should also ponder the exact oversight obligations identified by the Delaware Court of Justice. Build a rational information system to manage risk. And “do not consciously ignore red flags” that indicate that the company may suffer damage.
These duties are particularly troubling because compliance officers are responsible for compliance risk. These risks can come from anywhere. Therefore, compliance officers must make a good-faith effort to establish an internal reporting system that can spread across the enterprise.
One such system is obviously a whistleblowing hotline. But what other information systems should companies have in place? For example, should they build sophisticated data analytics to identify outlier transactions? What warning or escalation procedures should be in place?
Again, the Chancery, Delaware decision did not make any statement. It merely lays down the (very sensible) principle that management must gather information and make some effort to understand what is going on within its mandate, but that abstract leaves us to the idea of Compliance officers are working on specific details.
And don’t forget your second duty: don’t consciously ignore red flags. This puts compliance officers in an even more awkward position. Because the red flags in your world usually mean fraud or cheating, so how aggressively does an officer of compliance have to raise that red flag? If the board takes no action, will it raise issues with regulators? If the board or senior management takes action, but the action does not address the root causes, how will the CCO take action? Did you do your duty?
Compliance officers must build an effective compliance program and must take ethics and compliance violations seriously.
But for compliance officers who have been feeling punched from all sides lately, the ruling does nothing to soothe their displeasure.
Every compliance officer needs a foundation of tools available to establish and maintain a culture of compliance. This includes whistleblowing hotlines and incident management, training, policy and procedure management, and more. Learn more about how DELTA Data Protection & Compliance can support your company.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com
