At the risk management conference I attended yesterday at Delaware, VC Leo Strine and I were discussing the Caremark-based duty of directors to put into place effective monitoring systems. I pointed to the "-ly" words to emphasize that, for example, any risk management program--no matter how lame--would suffice to preclude liability.
Note that my argument is directed at judges. VC Strine observed that counsel advising clients should always base their advice on best practice not bare minimums. I concur, of course.First, it’s critical to remember that, under Stone, the initial question is whether the board “utterly failed to implement any reporting or information system or controls.” Where a Caremark claim is premised on accounting control failures, liability would arise if “the company entirely lacked an audit committee or other important supervisory structures, or that a formally constituted audit committee failed to meet.” Note the emphasis that a mere failure is not enough; there must be an utter or entire failure. This requirement follows inexorably from Caremark’s dictum that “the level of detail that is appropriate for [the requisite] information system is a question of business judgment.” Courts are not to second-guess a board’s determination that the company’s risk management programs are adequate. In other words, so long as the board has put into any place any risk management efforts—no matter how lame—that should suffice.
The take home lesson thus is not that boards need to devise a perfect information and reporting system. The lesson is that they must try (a lesson that may extend to all areas covered by the emergent good faith principles).
This, of course, reminds me of the famous advice Yoda gave Luke Skywalker:
I'm not sure that's good life advice. Given that binary choice, too many people select "do not." I am certain that it's bad corporate advice.