As boards prepare for the new year, a combination of recent Delaware decisions, corporate controversies, and shareholder litigation has brought renewed attention to corporate governance practices. This article is the first in a series examining those developments and their implications for directors, shareholders, and companies.
Delaware courts have become increasingly attentive to how boards oversee “mission-critical” risks. Although the legal standards relating to the duty of oversight have not changed in name, recent decisions show that the courts have higher expectations for directors to install meaningful systems for monitoring compliance and safety issues. These expectations apply across traditional corporate sectors and extend to emerging industries such as cryptocurrency and cannabis, where regulatory scrutiny is evolving.
Boards that rely on high-level summaries, untested assumptions about management, or informal reporting practices place themselves at significant risk. Several recent cases demonstrate how directors can be held accountable when the information needed to adequately oversee mission-critical risks never reaches the boardroom.
The Legal Foundation: Caremark and Its Progeny
The modern duty of oversight begins with In re Caremark International Inc. Derivative Litigation. Directors have a duty of loyalty to the company that can be breached if a director acts in bad faith. The Delaware Court of Chancery held that directors can show bad faith, therefore breaching their duty of loyalty, if they (1) completely fail to implement a reporting system or (2) consciously ignore red flags that indicate the system is failing. This is a high bar, yet subsequent decisions have shown that plaintiffs can succeed when the underlying risk is “mission critical” to the business.
Marchand v. Barnhill
In Marchand, the Delaware Supreme Court held that Blue Bell Creameries’ board failed to satisfy its oversight duties because it did not meet the first prong of the Caremark test. It did not maintain any board-level system for monitoring food safety, which resulted in a listeria outbreak. Since food safety is essential to the company’s ability to operate, the absence of meaningful reporting reinforced the allegation that the directors acted in bad faith.
In re Boeing Company Derivative Litigation
The Boeing decision similarly emphasized that boards must keep themselves informed about key issues in their company, but it also demonstrates how a company can fail the second prong of the Caremark test as well. In Boeing, the board was sued following two crashes of a certain aircraft model. The Chancery Court found that Boeing’s directors did not receive regular or structured information about aircraft safety, despite operating in a heavily regulated industry where safety is fundamental to the company’s business. Despite this, the board knew or should have known about the safety issues because of the crashes, and they refused to act. This allowed the Caremark claim to proceed.
These cases make clear that oversight obligations increase when the risk relates directly to regulatory compliance and consumer or public safety.
Why Boards Miss Mission-Critical Risks
Despite years of guidance, boards frequently underestimate or overlook mission-critical risks. Several recurring patterns explain why.
1. Reporting Systems Are Too Limited
Boards often receive curated summaries rather than detailed operational data. As the cases above show, problems occur when boards do not have a formal system in place to receive information about problems and instead assume that no news is good news.
2. Warning Signs Are Categorized as Operational Noise
Companies frequently treat persistent compliance failures as routine. In several industries, regulatory fines may appear small relative to revenue, which causes companies to treat those fines as an ordinary recurring expense. When this mindset takes hold, directors may not grasp that the pattern reveals structural issues rather than isolated events.
3. Cultural Barriers Suppress Escalation
A culture that discourages dissent or rewards aggressive growth can prevent employees from raising concerns. When employees believe they will be ignored or punished when raising problems, critical information never reaches the board.
Understanding Today’s Mission-Critical Risks
Mission-critical risks arise in many business models. Examples from Marchand and Boeing include food safety for manufacturers and aircraft safety for aerospace companies. However, these are not the only examples.
- In consumer retail, pricing accuracy and consumer protection represent core legal and reputational risks.
- In the cannabis industry, compliance with state regulations, inventory tracking requirements, and security protocols are mission critical because a single violation can result in license suspension or loss of market access.
- In technology companies, data privacy and cybersecurity can determine whether a business retains user trust.
The key question is whether a company can operate lawfully without actively monitoring the risk. If the answer is no, the risk is likely mission critical.
What Boards Should Consider Now
Delaware cases provide a framework for how boards should approach oversight for mission-critical risks.
1. Install a Formal Board Level Reporting System
Directors should receive recurring, structured reports on mission-critical issues. This structure must be embedded in board materials, meeting agendas, and committee charters. Informal updates are not sufficient.
2. Ensure Unfiltered Information Reaches the Board
Management should not be the sole gatekeeper for risk information. Companies can address this by establishing dedicated compliance committees, requiring periodic internal audit reports, and creating direct reporting lines between the Chief Compliance Officer and the board.
Advisors to the board should be objective, knowledgeable about relevant risks, and able to identify issues as they arise. This is especially important in sectors where regulatory changes occur frequently and operational compliance can be complex.
3. Monitor Patterns, Not Just Outcomes
Repeated small fines, recurring operational delays, or consistent audit discrepancies are often indicators of a deeper structural issue. Boards should identify these patterns early and request root cause analysis.
4. Evaluate Cultural Risks Alongside Operational Ones
A company can have an elegant reporting structure yet still fail if the culture suppresses escalation. Directors should assess whether management encourages transparency, whether internal reporting channels function effectively, and whether employees feel supported when raising concerns.
5. Demonstrate Responsiveness
When directors become aware of an issue, whether or not that awareness comes from a formal reporting system, they must show that they are considering the implications. Discussions should be included in meeting minutes or other board reports. It is better to implement the “wrong” response than no response at all.
Conclusion
Board oversight is no longer limited to periodic reviews of financial performance. Courts expect directors to understand mission-critical risks, insist on structured reporting systems, and respond to red flags.
The lesson from recent Delaware cases is that oversight must be active and intentional. Companies that adopt robust monitoring systems and promote cultures that value transparency place themselves on firmer legal footing and protect long-term corporate value.
