Enterprise Risk Governance: Board Oversight, Compliance, and Liability

Directors owe a duty of care to the corporation, requiring them to act in an informed manner and exercise the level of care a reasonably prudent person would exercise in similar circumstances. The business judgment rule protects directors from personal liability for decisions made in good faith, but only when the board has implemented and actively monitored reasonable information and reporting systems. The Caremark doctrine holds that directors who fail to implement adequate oversight systems or consciously disregard known compliance risks can be held personally liable for resulting legal violations. Organizations should engage corporate governance counsel to conduct a governance assessment and identify structural deficiencies before they are exposed in enforcement proceedings or litigation.

Effective internal controls are the operational foundation of enterprise risk governance, enabling management to detect and prevent financial fraud, regulatory violations, and operational failures before they escalate into enforcement actions. Organizations that implement the COSO internal control framework, the standard referenced by the SEC for assessing internal control over financial reporting under SOX Section 404, can demonstrate to regulators that their risk management processes meet an objective standard. The SEC has pursued significant enforcement actions against companies whose weak internal controls allowed fraud and financial statement misstatements to occur without detection. Organizations that have identified weaknesses in their internal control framework should immediately engage corporate compliance & risk management counsel to remediate the deficiencies and document the remediation efforts.

The DOJ Evaluation of Corporate Compliance Programs identifies the hallmarks of an effective compliance program, including senior leadership commitment, a code of conduct, a designated compliance function, risk assessment processes, robust training, and confidential reporting mechanisms. A compliance program that exists only on paper provides no protection in DOJ enforcement proceedings. Prosecutors specifically evaluate whether the program was working at the time of the violation and whether the compliance function had sufficient resources and authority. Organizations seeking to implement or strengthen a compliance program should engage compliance officer requirements counsel to design a program structure that meets the DOJ's evaluation criteria.

The Sarbanes-Oxley Act imposes significant governance obligations on public companies, including the SOX Section 404 requirement that management annually assess the effectiveness of internal control over financial reporting, and an independent auditor must attest to management's assessment. SOX Section 302 requires the CEO and CFO to certify in each periodic report that the disclosure controls and procedures are operating effectively, and individual executives who knowingly certify false reports face criminal penalties of up to 20 years in prison under SOX Section 906. SOX Section 301 requires audit committee members to be independent and gives the audit committee responsibility for appointing and overseeing the independent auditor. Organizations subject to SOX requirements should engage Sarbanes-Oxley Act counsel to evaluate the adequacy of their internal control assessment processes and identify material weaknesses before the annual assessment.

Directors and officers can be held personally liable under the Caremark duty of oversight theory, under SEC Rule 10b-5 for material misstatements or omissions, under SOX Section 304 for reimbursement of executive compensation when the company must restate its financial statements, and under Dodd-Frank for participation in securities violations. D&O insurance provides financial protection for individual directors and officers, but D&O policies typically exclude coverage for intentional misconduct, fraud, and securities law violations, meaning coverage may not be available in the most serious enforcement cases. The most effective protection against personal director and officer liability is proactive governance, including documented board deliberation of material risks and prompt escalation of compliance issues when identified by management. Directors and officers seeking to limit their personal exposure should engage D&O and professional liability counsel to assess their governance documentation and D&O insurance coverage.

Shareholder derivative lawsuits are filed by shareholders on behalf of the corporation against directors and officers who allegedly breached their fiduciary duties by failing to implement adequate internal controls or consciously disregarding known compliance risks. The demand requirement for derivative suits requires shareholders to make a pre-suit demand on the board, or to demonstrate that demand would be futile because a majority of the board is not independent or faces a substantial likelihood of personal liability. Derivative settlements in governance failure cases typically require the company to implement enhanced governance procedures, new board committee oversight mechanisms, enhanced internal controls, and independent compliance monitoring. Corporations and their boards facing a threatened or pending shareholder derivative lawsuit should immediately engage shareholder derivative lawsuit counsel to evaluate the demand requirement and develop a response strategy.

The first step in responding to an SEC or DOJ investigation is to preserve all documents potentially relevant to the investigation by issuing a litigation hold. The failure to preserve relevant documents can result in obstruction charges, spoliation sanctions, and adverse inference instructions. Organizations under investigation should conduct an internal investigation under attorney-client privilege before responding to the government. Understanding the scope of the underlying conduct is essential for decisions about voluntary disclosure, cooperation, and negotiating positions. Organizations that have received an SEC subpoena or a DOJ notification of investigation should immediately engage SEC investigations counsel to manage the investigation response and assess cooperation strategy.

The Federal Sentencing Guidelines for Organizations allow an organization to receive a three-point reduction in its culpability score for having an effective compliance and ethics program at the time of the offense. This reduction can decrease the applicable fine range by as much as 60 to 80 percent. Under the Sentencing Guidelines, an effective compliance and ethics program must include seven elements: leadership commitment, standards and procedures, due diligence, training and communication, monitoring and auditing, enforcement and discipline, and remediation following detected violations. Organizations that are under investigation or prosecution should immediately engage corporate governance advisory counsel to assess whether their compliance program qualifies for the Sentencing Guidelines credit.