1. What Governance Policies Are and How Their Absence Creates Caremark Liability
The Caremark standard is not satisfied by good intentions. It is satisfied by documented systems.
A governance policy is a formal document that establishes who is responsible for overseeing a specific area of risk, what information they must receive and how often, what escalation procedures apply when a problem is identified, and what remediation steps are required when a violation occurs. The policy is evidence that the board did not simply assume management was handling a risk. It is evidence of a deliberate decision to create oversight accountability at the board level. Courts evaluating Caremark claims look for exactly this: documented policies, committee charters that assign oversight responsibility, and board minutes showing that required reports were actually received and discussed.
The two-part Caremark test requires a plaintiff to show either that the board failed to implement any reporting or information system for a material risk, or that having implemented such a system, the board consciously disregarded red flags that the system generated. The first prong is the governance policy question. A company that had no anti-corruption policy, no safety monitoring committee, no data security oversight procedure, and no mechanism for employees to report compliance concerns up to the board has potentially satisfied the first prong for any of those risk areas if a loss occurs. The second prong concerns how the board responded to information it did receive, which is a separate governance failure that recorded meeting minutes and documented board actions either establish or refute.
Which Governance Policy Failures Delaware Courts Have Found Sufficient to Survive Dismissal
Delaware courts dismiss most Caremark claims at the pleading stage because demand futility is difficult to establish and courts are reluctant to second-guess business decisions. But the cases that survive have a consistent factual pattern.
Marchand v. Barnhill involved Blue Bell Creameries, which experienced a listeria outbreak that killed three people and required a full product recall. The Delaware Supreme Court found that the complaint adequately pled a Caremark violation because the board had no board-level committee or monitoring system devoted to food safety oversight, and the company operated in an industry where food safety was the single most significant compliance risk. The absence of any board-level food safety governance policy, in an industry defined by food safety risk, was the fact that distinguished the case from routine Caremark dismissals.
The Boeing derivative litigation involved the 737 MAX crashes and found that the board's audit committee had aerospace safety on its charter but received no meaningful safety information for years. The failure was not the absence of a policy that named safety as a board concern. It was the failure of the information reporting system to actually function as the policy described. Both cases show that Caremark liability requires either no governance policy for a critical risk, or a governance policy whose monitoring system was not actually implemented. A policy that exists on paper but is never operationalized provides limited protection.
2. What Governance Policies Public Companies Must Maintain under Sox, Sec, and Exchange Listing Standards
Public companies face mandatory governance policy requirements from three overlapping sources: federal statute, SEC rules, and exchange listing standards. Each adds obligations the others do not fully cover.
Sarbanes-Oxley Act § 406 requires public companies to disclose whether they have adopted a code of ethics for senior financial officers, and if not, to explain why not. The code must address conflicts of interest, full and fair disclosure, and compliance with applicable laws. SOX § 301 requires audit committees to establish procedures for receiving and handling complaints about accounting and internal controls, which creates the functional equivalent of a mandatory whistleblower policy for financial reporting concerns. SOX § 302 and 906 certifications require the CEO and CFO to certify that they have disclosed to the audit committee any significant deficiencies or material weaknesses in internal controls, which presupposes a disclosure and escalation policy that generates that information to the officers before certification.
The SEC's proxy disclosure rules require public companies to describe their board leadership structure, risk oversight practices, director nomination procedures, and any policies on hedging and pledging of company securities by directors and officers. These disclosure requirements create indirect pressure to adopt formal policies because a company that discloses it has no policy on director hedging of company stock has made a governance disclosure that institutional shareholders and proxy advisory firms will evaluate negatively. Corporate governance advisory and corporate governance counsel practice involving public companies routinely addresses the gap between what companies are required to disclose and what policies they have actually adopted.
How Exchange Listing Standards Add Governance Policy Requirements Beyond Sec Rules
NYSE and NASDAQ each publish listing standards that impose governance requirements as a condition of continued listing. Companies that fail to satisfy these standards face delisting, which creates commercial consequences that enforcement of SEC rules alone does not.
NYSE Listed Company Manual § 303A requires listed companies to adopt and disclose a code of business conduct and ethics for directors, officers, and employees; to adopt corporate governance guidelines addressing director qualifications, responsibilities, and compensation; and to operate through audit, compensation, and nominating/governance committees composed entirely of independent directors, each operating under a written committee charter approved by the board. The committee charters are governance policies: they define the committee's purpose, authority, membership requirements, and operating procedures, and they must be publicly disclosed on the company's website.
NASDAQ Listing Rule 5610 imposes a parallel code of conduct requirement and adds a specific obligation that the code address conflicts of interest, confidentiality, fair dealing, protection and proper use of company assets, and compliance with laws. NASDAQ Rule 5630 requires listed companies to conduct a review of related party transactions through a written policy addressing the standards for review, approval, and ratification of transactions with related persons. A company that completes a related party transaction without a board-approved written policy for evaluating such transactions has not only created a governance deficiency but has also provided evidence that the transaction was not subject to the kind of independent scrutiny that protects directors from conflict of interest claims. Board oversight failures and directors and officers liability claims frequently trace to exactly this gap.
| Policy Type | Who Requires It | Minimum Content | Disclosure Required |
|---|---|---|---|
| Code of ethics / code of conduct | SOX § 406 (senior financial officers); NYSE § 303A; NASDAQ Rule 5610 | Conflicts of interest, compliance, fair dealing, confidentiality | Public website; proxy statement |
| Whistleblower / complaint procedures | SOX § 301 (accounting complaints); Dodd-Frank § 922 | Confidential submission, anti-retaliation, audit committee receipt | Proxy disclosure of procedures |
| Related party transaction policy | NYSE § 303A.09; NASDAQ Rule 5630 | Standards for review, approval authority, disclosure thresholds | Proxy statement disclosure |
| Committee charters (audit, compensation, NCG) | NYSE § 303A; NASDAQ Rule 5605 | Purpose, authority, membership, meeting requirements | Public website |
Governance policy gaps create the most acute liability exposure when a company operates in an industry with a specific, identifiable, and material compliance risk that the board has never formally assigned to any committee, never designated any officer to monitor, and never received any board-level reporting about. The gap between the risk and the documented governance response is the gap that a derivative plaintiff fills with allegations of Caremark liability. Corporate risk and governance and D&O and professional liability practice in governance matters begins by mapping the company's material risk profile against its existing governance policies to identify which risks have no documented board oversight structure before a derivative plaintiff makes the same analysis.
3. What Governance Policies Private Companies, Pe-Backed Entities, and Nonprofits Need
Governance policies are not only a public company concern. Private companies face Caremark-equivalent liability in states that apply fiduciary duty standards to private company boards, PE-backed companies operate under governance structures that create investor protection obligations, and nonprofits face IRS scrutiny of their governance practices through Form 990 disclosures.
Private companies organized in Delaware face the same fiduciary duty framework as public Delaware corporations. The Caremark standard applies to private company boards, and derivative litigation arising from governance failures is available to private company minority shareholders and members. A private company board that has no whistleblower policy, no conflicts of interest policy, and no mechanism for escalating compliance concerns to the board faces the same analytical framework as a public company board when a governance failure produces a loss. The absence of stock exchange listing does not eliminate the Delaware duty of oversight.
PE-backed companies operate under governance arrangements established in shareholder agreements, investor rights agreements, and board composition provisions that allocate oversight responsibilities between the PE sponsor's board seats, management, and any independent directors. When these governance documents do not clearly assign responsibility for compliance monitoring, financial reporting oversight, and related party transaction approval, the resulting ambiguity about who was responsible for what creates both governance failures and investor protection disputes when something goes wrong. Corporate governance and exit transaction due diligence for PE-backed companies consistently reveals governance policy gaps that require remediation before a sale process can proceed without buyer concern about inherited governance liability.
How Governance Policy Gaps Create IRS Scrutiny and Board Liability in Nonprofits
IRS Form 990 asks specific governance questions that effectively require nonprofits to adopt or explain the absence of specific governance policies.
Form 990 Part VI asks whether the organization has a written conflict of interest policy and whether it regularly monitors compliance with that policy, whether it has a written whistleblower policy, whether it has a written document retention and destruction policy, and whether executive compensation is reviewed and approved by an independent body using comparability data. These questions function as indirect requirements: a nonprofit that discloses it has none of these policies has made a public disclosure that state attorneys general, major donors, and watchdog organizations can use to evaluate the organization's governance quality.
Nonprofit board members face personal liability for governance failures under state nonprofit corporation laws and through excise tax provisions under IRC § 4958, which imposes intermediate sanctions on excess benefit transactions between nonprofits and disqualified persons. A nonprofit that lacks a conflict of interest policy and approves a transaction with a board member's company without documenting the approval process and the comparability data used to evaluate the compensation has not only failed the Form 990 governance questions but has potentially approved a transaction without the procedural protections that create a presumption of reasonableness under the IRC § 4958 regulations.
4. Frequently Asked Questions about Governance Policies
Governance policy questions arrive from general counsel who received a D&O insurance renewal questionnaire asking about specific board policies that the company does not currently have, from PE investors evaluating governance documentation at a portfolio company preparing for a sale process, and from nonprofit executive directors whose auditors flagged the absence of a conflict of interest policy as a material weakness. Those situations generate the following questions.
What Are Governance Policies and Why Do Courts Treat Their Absence As Evidence of Director Liability?
Governance policies are formal documents that define what risks the board oversees, what information it must receive, who is responsible for reporting, and what escalation procedures apply when a problem arises. Courts treat their absence as evidence of a Caremark oversight failure because the Delaware Supreme Court held in Marchand v. Barnhill that a board operating in a high-risk industry without any board-level compliance monitoring system for that industry's primary risk cannot claim the protection of the business judgment rule. The policy is not just compliance documentation. It is the evidence that a board consciously addressed a risk rather than ignoring it.
Which Governance Policies Does a Public Company Absolutely Need?
Public companies must maintain a code of ethics for senior financial officers under SOX § 406, audit committee complaint procedures under SOX § 301, and committee charters for audit, compensation, and nominating/governance committees under NYSE and NASDAQ listing standards. They also need a related party transaction policy, an insider trading and securities trading blackout policy, a director independence determination policy, and procedures for board and committee meeting conduct. SEC proxy disclosure requirements create indirect pressure to adopt hedging and pledging policies and to describe board risk oversight practices in ways that presuppose a formal oversight structure for material risks.
Does a Private Company Need Governance Policies If It Is Not Publicly Traded?
Yes, particularly if incorporated in Delaware. Private Delaware corporations face the same Caremark fiduciary duty framework as public companies, and derivative litigation for governance failures is available to minority shareholders regardless of whether the company has public shareholders. PE-backed companies additionally face governance obligations established in shareholder agreements and investor rights agreements that typically require board approval of material decisions, related party transactions, and executive compensation. The absence of documented governance policies in a PE-backed company creates both fiduciary liability exposure and deal friction when the company enters a sale process and buyers evaluate inherited governance risk.
What Governance Policies Does a Nonprofit Need?
IRS Form 990 specifically asks whether nonprofits have adopted a written conflict of interest policy with annual compliance monitoring, a written whistleblower policy, and a written document retention and destruction policy. Nonprofits should also adopt an executive compensation approval policy that uses an independent body and comparability data to create the presumption of reasonableness required to avoid IRC § 4958 intermediate sanctions on excess benefit transactions. State nonprofit corporation laws impose additional governance requirements that vary by state. The absence of any of these policies is a public disclosure on Form 990 that state attorneys general, major donors, and rating organizations can and do evaluate.
How Does a Caremark Claim Actually Work and What Does a Plaintiff Need to Prove?
A Caremark derivative claim requires a plaintiff to show either that the board failed to implement any information reporting system for a material risk, or that having implemented such a system, the board consciously disregarded red flags the system generated. The claim is brought as a derivative suit on behalf of the company against the directors who failed in their oversight duty. Most Caremark claims are dismissed at the pleading stage because courts require particularized facts showing bad faith rather than mere negligence. The cases that survive dismissal, like Marchand and Boeing, involve complete absence of board-level monitoring for the company's most significant risk category. Corporate governance counsel and board oversight failures practice addresses these claims both defensively, by helping boards build adequate oversight systems before a loss occurs, and offensively, by evaluating whether a governance failure warrants derivative litigation.
08 Jun, 2026
