Fifth in a series of updates on how the pandemic is informing basic elements of governance.
For most sophisticated health systems, the operative assumption is that, without regard to the pandemic, their boards have adopted a comprehensive information reporting system that keeps the board informed on enterprise risks. But a new survey from the research and advisory company Gartner suggests that this may be a faulty assumption.
Of more than 900 audit and risk leaders surveyed by Gartner in late March 2020, most of them are focused on assessing the impact of the pandemic on organizational operations and controls, and on revising and executing the company audit plan. Only 4% of respondents reported that updating the board was their primary focus at this time, while 21% reported executing the audit plan as the top priority.
Further, Gartner’s survey notes that “many enterprise risk management teams are finding that the board and executive teams are postponing risk committee meetings and are not getting exposed to risk-based insights on the impact and opportunities associated with the crisis.”
While board reporting may not be THE primary focus of audit and risk leaders, it most likely should be A priority focus, which is one of the reasons why the Gartner data is so noteworthy.
Without doubt, the burdens on governing boards during the current crisis to meet, communicate with management and stay abreast of all of the information that is relevant to the performance of their duties are staggeringly high. Nevertheless, the board’s compliance and risk oversight duties in particular are grounded in an expectation that the board will maintain an information and reporting system that is adequate to provide it with relevant data — especially in these challenging times like these.
This is, of course, the famous Caremark obligation. It is well-established that a Caremark breach of fiduciary duty claim is one of the most difficult theories in corporation law on which to find judgment. But two important 2019 Delaware court decisions allowed a breach of duty action to proceed against directors based on allegations they were essentially indifferent to their risk and compliance oversight obligation.
Management may thus consider working with the board to support its continuing ability to satisfy expectations of the law concerning risk and compliance oversight. Key components of that relate to (i) the management-to-board information reporting on risk and compliance information and (ii) the frequency with which the board and key committees meet to discuss such matters.
There is no “one size fits all” approach to reporting mechanisms. Furthermore, the sufficiency of those mechanisms depend on specific facts and circumstances. But management (especially the general counsel) may want to consult with the board on how it can continue to access important risk and compliance information despite the barriers presented by the current crisis.