Tag: Marchand

Categories
Blog

From the Tower of Babel to the Boardroom: Part 4 – AI, Truth, and Corporate Trust

Employees trust that leadership will tell them the truth. Investors trust that disclosures are accurate. Customers trust that representations are reliable. Boards trust that management reporting is complete. Compliance officers trust that records, interviews, hotline reports, emails, chats, invoices, certifications, and audit findings reflect reality.

Artificial intelligence now challenges that foundation. AI can generate text, audio, images, video, records, summaries, identities, and narratives at speed and scale. It can help a compliance function become more effective. It can also make falsehood more convincing, fraud more sophisticated, and manipulation harder to detect.

In the first three posts in this series, we used Magnifica Humanitas to move from governance principle to compliance program design and then to internal controls for shadow AI. In this fourth post, we turn to one of the most important themes in the Encyclical Letter: truth. Pope Leo XIV says the digital transformation requires us to rediscover truth as a common good, protect the dignity of work, and safeguard freedom against dependence and commercialization (Magnifica Humanitas, ¶131). For boards and compliance leaders, that is a powerful governance lesson. Without truth, there is no trust. Without trust, there is no culture. Without culture, no compliance program can be effective.

Truth as a Common Good

Magnifica Humanitas warns that digital platforms and AI systems are transforming public and institutional communication. The Encyclical identifies a core risk: AI can construct distorted narratives, blur the boundary between truth and falsehood, mix facts with opinions, and manipulate content, images, and video (Magnifica Humanitas, ¶132). It also reminds us that truthful information requires verification, cross-checking of sources, responsible argument, and shared practices of trust (Magnifica Humanitas, ¶132).

For the compliance professional, this is not abstract philosophy. It is an operational reality. A corporation is built on records and representations. A company’s compliance program depends on accurate policies, reliable data, trustworthy reporting, credible investigations, authentic communications, and truthful escalation to leadership and the board. If AI weakens the company’s ability to know what is real, AI becomes a compliance risk.

The issue is not only misinformation in public discourse. It is misinformation inside the enterprise. AI-generated falsehood can appear in emails, invoices, employee complaints, due diligence materials, contracts, investigation files, synthetic images, training materials, board reports, and financial documentation. Truth is no longer only an ethical value. It is a control objective.

From Encyclical Principle to Corporate Trust Requirement

The corporate translation is direct. If truth is a common good, information integrity is a governance requirement. If AI can distort narratives and manipulate content, companies need verification controls. If truthful information depends on cross-checking and responsible argument, compliance cannot treat AI outputs as self-authenticating. If communication creates culture, as Magnifica Humanitas teaches, then AI-generated communications must be governed because they shape how employees, customers, investors, and directors understand the company (Magnifica Humanitas, ¶135).

The Encyclical also calls for an ecology of communication grounded in transparency, personal data protection, rigorous verification, and the proper use of digital tools (Magnifica Humanitas, ¶137). In corporate terms, that means controls over high-risk communications, rules for AI-generated content, validation of AI-assisted summaries, protection of the integrity of investigations, and reporting systems that enable the board to trust what it receives.

Synthetic Reality and Corporate Risk

We are entering the age of synthetic reality. Companies must assume that audio may be cloned, video may be fabricated, documents may be AI-generated, and digital identities may be false. This does not mean every communication is suspect. It means the company must build verification protocols for high-risk decisions.

The Arup deepfake fraud demonstrates the corporate risk. The Guardian reported that in 2024, public reporting stated that engineering firm Arup was victimized in a deepfake scam involving its Hong Kong office, where fraudsters reportedly used AI-generated video impersonations in a call that led to the transfer of approximately $25 million. That incident should be understood as more than a cyber story. It is a governance story, a finance controls story, a human factors story, and a compliance story.

A traditional approval process may fail when a trusted executive appears to be present on a video call. A fraud-prevention control may fail when an employee believes their identity has already been verified. A payment control may fail when urgency, authority, secrecy, and synthetic trust converge. The compliance lesson is clear: in an AI-enabled environment, trust must be verified when the risk is high.

AI and the Integrity of Corporate Information

Boards and CCOs should treat the integrity of corporate information as part of AI governance. This includes information created by AI, information summarized by AI, and information used to make AI-supported decisions.

Consider internal investigations. AI can help summarize documents, cluster communications, identify patterns, and organize timelines. But Magnifica Humanitas reminds us that AI lacks moral conscience, does not understand what it produces, and does not bear responsibility for its consequences (Magnifica Humanitas, ¶99). A compliance investigator cannot delegate credibility findings to a machine. AI can support the investigation record. It cannot become the investigation record.

Consider hotline reporting. AI may help triage allegations, identify themes, translate complaints, and route issues. But if the system misclassifies a serious allegation as low risk, strips away nuance, or fails to identify indicators of retaliation, the company may miss a critical signal. Consider board reporting. A polished AI-generated report may look authoritative while masking weak data, incomplete controls, or unsupported conclusions. In compliance, elegance is not evidence.

The DOJ ECCP and Trustworthy AI

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging technology risks, including AI. It asks how companies govern AI in commercial operations and in their compliance programs; whether controls monitor trustworthiness and reliability; whether AI is limited to intended uses; what human decision-making baseline is used; how accountability is enforced; and how employees are trained.

This is where the Encyclical’s moral mandate and the DOJ’s compliance test meet. Magnifica Humanitas says responsibility must be clearly defined at every stage and that accountability requires identifying who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, ¶105). The ECCP asks whether a company has converted that accountability into governance, controls, training, monitoring, and evidence. For CCOs, the question is not whether AI can help compliance. It can. The question is whether compliance can explain how AI-supported information is validated, reviewed, escalated, corrected, and documented.

NIST, COSO, and the Control Language of Trust

NIST provides a practical vocabulary for this discussion. The NIST AI Risk Management Framework identifies trustworthy AI characteristics, including validity and reliability; safety, security, and resilience; accountability and transparency; explainability and interpretability; privacy enhancement; and fairness, with harmful bias managed. For this post, reliability and transparency matter most. Reliability asks whether an output can be trusted for the intended purpose. Transparency asks whether the company can understand, explain, and govern the system.

COSO also matters here. COSO’s internal control framework is designed to help organizations achieve operations, reporting, and compliance objectives, and COSO’s GenAI guidance translates that internal-control discipline into AI governance. In the AI context, companies need controls over the creation, use, review, approval, and communication of AI-generated or AI-assisted information. This is where CCOs, internal audit, finance, legal, and IT must work together. The company should identify where authenticity matters most and design controls accordingly.

Practical Controls for AI, Truth, and Trust

A practical compliance program should include controls for AI-enabled truth risk.

First, companies should adopt verification protocols for high-risk communications. Payment instructions, executive requests, wire transfers, confidential transactions, changes to vendor banking information, M&A activity, crisis communications, and sensitive employment decisions should require independent verification outside the original communication channel.

Second, companies should require labeling or disclosure where AI-generated content is used in official corporate communications and authenticity matters. Third, companies should protect investigations from unverified AI outputs. AI-generated summaries should be treated as work aids, not evidence. Investigators should validate source documents, preserve original records, and document human review.

Fourth, companies should train employees on synthetic fraud. Magnifica Humanitas warns that AI-enabled manipulation of images and videos can make exploitation and deception more insidious (Magnifica Humanitas, ¶141). Employees should learn the red flags: urgency, secrecy, unusual payment instructions, refusal to use normal channels, unexpected video calls, requests to bypass controls, and pressure from apparent senior leaders.

Fifth, companies should create an incident response process for AI-enabled deception. A deepfake attempt, a synthetic invoice, a cloned executive voice, a fake employee profile, or an AI-generated document should be reportable, investigated, tracked, and remediated.

Board Oversight and Corporate Trust

For boards, AI and truth raise a serious oversight issue. Directors rely on management reporting to fulfill their duties. If AI affects the integrity of that reporting, boards need to understand the control environment.

The Caremark lesson is not that directors must become forensic AI experts. Directors must make a good-faith effort to ensure that reasonable information and reporting systems are in place for central compliance risks. In Marchand v. Barnhill (Bluebell Ice Cream), the Delaware Supreme Court emphasized the importance of board-level monitoring and reporting systems for mission-critical compliance risks.

Magnifica Humanitas gives this oversight obligation a deeper accountability mandate. It says AI governance requires defined responsibility, justification of decisions, monitoring, challenge, and remediation (Magnifica Humanitas, ¶105). The board’s obligation is not technical mastery. It is a reporting and monitoring system that shows management can authenticate what matters, identify AI-enabled truth risks, escalate concerns, and remediate failures.

5 Lessons for the CCO
  1. Treat truth as a compliance control. Accurate records, authentic communications, validated reports, and reliable investigation files are essential to the effectiveness of compliance programs. Truth must be designed into the control environment.
  2. Build verification into high-risk processes. Payment approvals, executive instructions, vendor bank changes, crisis communications, and sensitive decisions should require independent verification.
  3. Govern AI-assisted evidence. AI can support investigations and reporting, but human review, source validation, preservation of original records, and documentation must remain mandatory.
  4. Train employees to challenge synthetic reality. Deepfakes, cloned voices, fake identities, and AI-generated documents should be part of fraud, cyber, finance, and compliance training.
  5. Report information integrity risk to the board. Boards need evidence that management has identified AI-enabled truth risks and designed controls to prevent, detect, respond to, and remediate them.
Conclusion: Corporate Trust Must Be Protected

Magnifica Humanitas reminds us that truth is a common good. That is a moral principle, but it is also a compliance principle. A company cannot govern itself if it cannot trust its information. A board cannot oversee what management cannot verify. A CCO cannot certify program effectiveness if the underlying records, reports, and communications are unreliable.

Compliance professionals should embrace AI. It can improve risk detection, strengthen monitoring, support investigations, and expand analytical capacity. But AI also requires vigilance, responsibility, transparency, governance, and human primacy. In the age of synthetic reality, compliance must help the company protect truth as part of the control environment.

In the next and final post in this five-part series, we will broaden the lens again. We will examine the Human Supply Chain of AI: Workforce Transformation, Third-Party Risk, and Modern Slavery. That post will tie together the human impact of AI, the dignity of work, vendor risk, data governance, and the compliance responsibility to look beyond the visible interface to the people, suppliers, and systems that make AI possible.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Legal Requirements of the Board Regarding Compliance

As to the specific role of best practices in general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc., 698 A.2d 959 (Del. S. Ct. 1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”

In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties concerning corporate compliance issues. Second, the Court found that no duty of good faith forms a basis for director liability, independent of the duties of care and loyalty. Rather, Stone v. Ritter 911 A.2d 362 (‎Del. S. Ct. 2006) holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using standard economic metrics and overseeing compliance with applicable laws and regulations. While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling. The Delaware Supreme Court has expanded this obligation in the cases of Marchand v. Barnhill (the “Blue Bell” case),  Clovis Oncology, Hughes, and Boeing.

From the Delaware cases, a Board must have a corporate compliance program in place and actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, additional oversight should exist. In other words, there is an affirmative duty to ask tough questions. However, there has been a significant expansion of the Board’s Caremark obligation.  Delaware courts will be much more scrutinizing of Caremark claims going forward. The evolution of decisions from Marchand to Boeing shows that a company must have robust compliance and risk management oversight but, more importantly, engage in oversight for the company’s signature risk(s). Boards must do so aggressively, not passively.

As Mike Volkov has noted, “At the bottom, the Chancery Court is raising the stakes on board member accountability.”

 Three key takeaways:

  1. The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions.
  2. Boards must have compliance expertise and exercise it.
  3. In a series of recent decisions, the Delaware courts are expanding the Caremark obligations, most recently.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Categories
31 Days to More Effective Compliance Programs

Day 5 – The Board and Operationalizing Compliance

The most significant development for Boards and compliance continues to come from the Delaware courts, which have been expanding the civil law obligations of Boards through a series of court decisions involving the expansion of the Caremark Doctrine for the past several years. These developments began with the Marchand (Blue Bell Ice Cream) decision which required Boards to manage the risks their organizations face. Next was Clovis Oncology which required ongoing monitoring by the Board. Finally, the Boeing case stands for the continuing proposition that a Board cannot simply have the trappings of oversight, it must do the serious work required and have evidence of that work (Document, Document, and Document).


The decision in Boeing is yet a further expansion of the Caremark Doctrine, once again beginning with MarchandBoeing also states that a company must assess its risks and then manage them right up through the Board level. Finally, a Board must be aggressive in their approach and not passively take in what management has presented to them.
The DOJ has also made clear its thoughts on the role of the Board of Directors. The role of the Board is different than that of senior management. The 2020 Update and DOJ Antitrust Division’s 2019 Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations were even more explicit in announcing their expectation for robust Board oversight of a corporate compliance function.

Name any of the most recent corporate scandals; Wells Fargo, Theranos, Volkswagen, Boeing, FTX, etc., and there was no compliance expertise on the Board. It is now enshrined as a best practice for companies to have a seasoned compliance professional on the Board. I would also add that the DOJ may soon expect a Compliance Committee separate from the Audit Committee.
The DOJ continually speaks about the need for companies to operationalize their compliance programs. Businesses must work to integrate compliance into the DNA of their organization. Having a Board member with specific compliance expertise or heading a Compliance Committee can provide a level of oversight and commitment to achieving this goal. The DOJ enshrined this requirement in the FCPA Corporate Enforcement Policy. This means that when your company is evaluated by the DOJ, under the factors set out in the 2020 Update and FCPA Corporate Enforcement Policy, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board-level Compliance Committee but also the specific subject matter expertise on the Board and on that committee.

This means that every Board of Directors needs a true compliance expert. Almost every Board has a former Chief Financial Officer, former head of Internal Audit, or persons with a similar background. Often, these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training, and SME that can help all companies with their financial reporting and other finance-based issues. So why is there no such SME at the Board level from the compliance profession?

Three key takeaways:

1. The 2020 Update required active Board of Director engagement and oversight around compliance.
2. Board communication on compliance is two-way, both inbound and outbound.
3. The Delaware courts have been expanding Board’s roles through the expansion of the Caremark Doctrine.

Categories
Role of the Board of Compliance

Episode 02: Marchand (Blue Bell Ice Cream) with Tom Fox and Jonathan Marks

Understanding risk means understanding your business.

Tom Fox and Jonathan Marks discuss the Blue Bell Ice Cream case, what went wrong, the lessons that compliance officers and board members can learn and apply, suggest how to improve your business’s governance, and how to be wary of red flags.

▶️ Marchand (Blue Bell Ice Cream) with Tom Fox and Jonathan Marks

Key points discussed in the episode:

✔Tom Fox lays out the facts of the Blue Bell Ice Cream case.

✔Jonathan Marks emphasizes the importance of enterprise-wide risk management and identifying key risks by deeply understanding your business.

✔Members of boards and committees should be carefully considered, must be conscious of the laws and regulations, and proactively ask questions to ensure safe products and services.

✔Jonathan Marks shares his opinions on the court verdict on Blue Bell’s CEO Paul Kruse’s responsibility for the listeria outbreak.

✔ Jonathan Marks highlights the gravity of disclosing red flags earlier so they can be corrected, preventing further damage, and continuing enterprise risk management programs, taking the shame out of it.

✔Tom Fox presents what the Delaware Supreme Court said about the case.

✔When safety issues arise, assess the situation quickly and communicate it among those responsible. Be prepared and have a crisis management plan in place if there isn’t any. 

✔Risk drives compliance. Ensure the board is informed. Risk assessment is the foundation of any compliance program.

—————————————————————————-

Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.

 

Categories
The Woody Report

Caremark Claims, Part 1

Welcome to The Woody Report, where Washington & Lee School of Law Associate Professor Karen Woody and host Tom Fox discuss issues on white-collar crime, compliance issues, international corruption, securities and accounting fraud, and internal corporate investigations. From current events to topical issues to academic research and thought leadership, Karen Woody helps lead the discussion of these issues on the new and exciting podcast. Today Tom and Karen are an exploration of the Board of Directors’ role in a compliance program through an exploration of the Caremark decision, some of its progeny and then the modern era of Caremark litigation, which began with Marchand, the Bluebell Ice Cream case.

Resources

Karen Woody on LinkedIn

Karen Woody at Washington & Lee, School of Law

Categories
Compliance Week Conference Podcast

Karen Woody on Board Evolution on the Role of Compliance


In this episode of the Compliance Week 2022 Preview Podcasts series, Karen will discuss some of my presentation at Compliance Week 2022 “Board Evolution”. Some of the issues she will discuss in this podcast and her presentation are:

  • Delve into the evolution of the Caremark doctrine requiring Boards to oversee compliance and explore where the courts and regulators are headed
  • Discuss best practices in managing up to the board, including reporting
  • Examine how to best educate boards and engage them in effective oversight, and what compliance’s role is in that

In this first full compliance conference in over 2 years, I hope you can join me at Compliance Week 2022. This year’s event will be May 16-18 at the JW Marriott in Washington DC. The line-up of this year’s event is simply first rate with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 17th year, compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. and many others to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders and ethics and compliance visionaries.
  • Hear from 75+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from the two SEC Commissioners and gain insights into the agency’s areas of enforcement and walk away with guidance on how to remain compliant within emerging areas such as ESG disclosure, third-party risk management, cybersecurity, cryptocurrency and more.
  • Bring actionable takeaways back to your program from various session types including ESG, Human Trafficking, Board obligations and many others for you to listen, learn and share.
  • The goal of Compliance Week is to arm you with information, strategy and tactics to transform your organization and your career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount off the registration price. Enter discount code discount code TFLAW $200 OFF.

Categories
Blog

Expanding Compliance Obligations of the Board – Part 1: Blue Bell

The role of the Board of Directors has always been a key part of any best practices compliance program. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have consistently said that a Board’s role is active oversight of compliance. Over the past few years, the civil side of this obligation has become much more prominent, led by developments in case law under the Caremark doctrine, as modified by Stone v. Ritter by the Delaware Supreme Court. In response to demands for greater accountability and corporate accountability, the Delaware courts have been cutting back the Caremark standard and rejecting motions to dismiss filed by defendants. Recent cases are continuing down this path and raising the expectations for Board members exercising their duty of loyalty and duty of care. This week I will be exploring this expanded set of legal obligations laid down by the Delaware Supreme Court.
Mike Volkov has stated, “At the core of board member protection from liability is the well-known Caremark doctrine that requires corporate boards to make a good faith effort to implement a system for compliance program monitoring and reporting. For years, Delaware courts easily rebuffed shareholder derivative suits challenging board members’ performance after a corporate scandal occurred. The Caremark standard was reinforced in Stone v. Ritter, where the court stated director oversight liability requires a showing of either “the directors utterly failed to implement any reporting or information system or controls” or the directors, “having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”
Under Caremark and Stone v. Ritter, a director must make a good faith effort to oversee the company’s operations. Failing to make that good faith effort breaches the duty of loyalty and can expose a director to liability. But it is more than simply not doing your job as a Board, it is doing so in bad faith. The Court states, “In other words, for a plaintiff to prevail on a Caremark claim, the plaintiff must show that a fiduciary acted in bad faith—“the state of mind traditionally used to define the mindset of a disloyal director.” Bad faith is established, under Caremark, when “the directors [completely] fail[] to implement any reporting or information system or controls[,] or … having implemented such a system or controls, consciously fail[ ] to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” In short, to satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it.”
This change began in a case Marchand v. Barnhill and it involved that Texas institution, Blue Bell Ice Cream, the top ice cream manufacturer in the US. In this decision, the Court found that the Blue Bell Board completely abrogated its duty around the single largest safety issues it faced – food safety. That abrogation allowed a listeria outbreak, “causing the company to recall all of its products, shut down production at all of its plants, and lay off over a third of its workforce. Blue Bell’s failure to contain listeria’s spread in its manufacturing plants caused listeria to be present in its products and had sad consequences. Three people died as a result of the listeria outbreak. Less consequentially, but nonetheless important for this litigation, stockholders also suffered losses because, after the operational shutdown, Blue Bell suffered a liquidity crisis that forced it to accept a dilutive private equity investment.”
The job of every Board member is to represent the shareholders, not the incumbent Chief Executive Officer (CEO) and Chairman of the Board. To do so, the Board must oversee the risk management function of the organization. Blue Bell was and to this day is a single-product food company and that food is ice cream. This sole source of income would mandate that the highest risk the company might face is around food. But as the underlying compliant noted, “despite the critical nature of food safety for Blue Bell’s continued success, the complaint alleges that management turned a blind eye to red and yellow flags that were waved in front of it by regulators and its own tests, and the board—by failing to implement any system to monitor the company’s food safety compliance programs—was unaware of any problems until it was too late.”
The plaintiffs reviewed the Board records and made the following allegations:

  • there was no Board committee that addressed food safety;
  • there was no regular process or protocols that required management to keep the Board apprised of food safety compliance practices, risks, or reports which existed;
  • there was no schedule for the Board to consider on a regular basis, such as quarterly or biannually, any key food safety risks which existed;
  • during a key period leading up to the deaths of three customers, management received reports that contained what could be considered red, or at least yellow, flags, and the Board minutes of the relevant period revealed no evidence that these were disclosed to the Board;
  • the Board was given certain favorable information about food safety by management, but was not given important reports that presented a much different picture; and
  • the Board meetings are devoid of any suggestion that there was any regular discussion of food safety issues.

The Board’s response to these allegations is instrumental in understanding how Board’s viewed their obligations regarding oversight of compliance. The Court stated, “the directors largely point out that by law Blue Bell had to meet FDA and state regulatory requirements for food safety, and that the company had in place certain manuals for employees regarding safety practices and commissioned audits from time to time. In the same vein, the directors emphasize that the government regularly inspected Blue Bell’s facilities, and Blue Bell management got the results.”
The Delaware Supreme Court made short shrift of this argument, stating “fact that Blue Bell nominally complied with FDA regulations does not imply that the board implemented a system to monitor food safety at the board level. Indeed, these types of routine regulatory requirements, although important, are not typically directed at the board. At best, Blue Bell’s compliance with these requirements shows only that management was following, in a nominal way, certain standard requirements of state and federal law. It does not rationally suggest that the board implemented a reporting system to monitor food safety or Blue Bell’s operational performance.”
The Board’s next defense was even more inane and was so preposterous, the Delaware Supreme Court labeled it as “telling.” It was that because the Board had received information on the company’s operational issues and performed oversight on operational issues, it had fulfilled its Caremark obligations. This is basically the same argument that every paper-pushing argument for compliance program. We have something on paper, so we have complied is the clarion call of such practitioners. The Delaware Supreme Court also saw through the flimsiness of this argument stating, “if that were the case, then Caremark would be a chimera.” [emphasis in original] This is because operational issues are always discussed at the Board level. Finally, Caremark requires “that a board make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks. In Blue Bell’s case, food safety was essential and mission critical.”
It has long been axiomatic that bad facts can lead to large changes in how courts interpret the law. The Blue Bell case had facts that the Court all but said the Board engaged in bad faith regarding its compliance obligations. The change was only the beginning.