Caremark and Enterprise Risk Management
Bainbridge, Stephen M., Journal of Corporation Law
I. INTRODUCTION II. ENTERPRISE RISK MANAGEMENT A. Overview B. Risk Management and the Financial Crisis of 2008-2009 III. CAREMARK AND PROGENY IV. DO ENTERPRISE RISK MANAGEMENT AND LAW COMPLIANCE DIFFER IN KIND? V. THE SIGNIFICANT DIFFERENCES IN DEGREE A. Risk Management is Still Evolving B. The Benefits of Risk Management Programs are Inherently Less Certain C. Risk Management and Risk Taking are Inextricably Intermingled VI. TWEAKING CAREMARK A. An Utter Failure to Adopt Risk Management Programs B. Risk Management Red Flags VII. CONCLUSION
Enterprise risk management is the process by which the board of directors and executives of a corporation define the firm's strategies and objectives so as "to strike an optimal balance between growth and return goals and related risks." (1) It encompasses determining an appetite for risk consistent with the interests of the firm's equity owners and identifying, preparing for, and responding to risks. (2) Although primary responsibility for risk management rests with the corporation's top management team, the board of directors is responsible for ensuring that the corporation has established appropriate risk management programs and for overseeing management's implementation of such programs. (3)
The financial crisis of 2008 revealed serious risk management failures on an almost systemic basis throughout the business community. (4) Shareholder losses attributable to absent or poorly implemented risk management programs likely are enormous. (5) Will shareholders be able to recoup some of those losses by suing boards of directors of companies with lax risk management programs?
Shareholder suits bringing such claims principally implicate the analysis of oversight failures by the board of directors, as established by the Caremak (6) decision and its progeny. (7) Caremark held that the board of directors has a duty to ensure that appropriate "information and reporting systems" are in place to provide the board and top management with "timely, accurate information." (8) Although post-Caremark opinions and commentary have focused on law compliance programs, (9) the original Caremark decision contemplated a similar duty with respect to the corporation's "business performance." (10)
There is no doctrinal reason that Caremark claims should not lie in cases in which the corporation suffered losses, not due to a failure to comply with applicable laws, but rather due to lax risk management. (11) Likewise, there is no basis in the underlying policy concerns for limiting Caremark to cases involving lax law compliance. Risk management and law compliance differ only in degree and not in kind. (12) Even so, some of those differences matter. Accordingly, courts need to develop a modified regime for deciding Caremark claims that do not involve law compliance issues. This Article concludes by outlining the relevant considerations.
II. ENTERPRISE RISK MANAGEMENT
Enterprise risk management is the process by which a business organization anticipates, prevents, and responds to uncertainties associated with the organization's strategic objectives. (13) Put another way, risk management is the process by which business organizations proactively determine the types and levels of risk appropriate for achieving the organization's strategic goals. (14) In recent decades, increasing attention has been paid to the evolving standards of enterprise risk management "as financial theory has advanced, new technology has made modeling of risks more feasible, and innovation has helped to find better ways to mitigate risk." (15)
A large public corporation these days faces "a myriad of risks ... ranging from complex financial risk to quality control regarding material manufactured in China." (16) In general, however, the risks corporations face can be broadly categorized as operational, market, and credit. …