Caremark and enterprise risk management.

• Author: Bainbridge, Stephen M.

1. INTRODUCTION II. ENTERPRISE RISK MANAGEMENT A. Overview B. Risk Management and the Financial Crisis of 2008-2009 III. CAREMARK AND PROGENY IV. DO ENTERPRISE RISK MANAGEMENT AND LAW COMPLIANCE DIFFER IN KIND? V. THE SIGNIFICANT DIFFERENCES IN DEGREE A. Risk Management is Still Evolving B. The Benefits of Risk Management Programs are Inherently Less Certain C. Risk Management and Risk Taking are Inextricably Intermingled VI. TWEAKING CAREMARK A. An Utter Failure to Adopt Risk Management Programs B. Risk Management Red Flags VII. CONCLUSION I. INTRODUCTION

   Enterprise risk management is the process by which the board of directors and executives of a corporation define the firm's strategies and objectives so as "to strike an optimal balance between growth and return goals and related risks." (1) It encompasses determining an appetite for risk consistent with the interests of the firm's equity owners and identifying, preparing for, and responding to risks. (2) Although primary responsibility for risk management rests with the corporation's top management team, the board of directors is responsible for ensuring that the corporation has established appropriate risk management programs and for overseeing management's implementation of such programs. (3)

   The financial crisis of 2008 revealed serious risk management failures on an almost systemic basis throughout the business community. (4) Shareholder losses attributable to absent or poorly implemented risk management programs likely are enormous. (5) Will shareholders be able to recoup some of those losses by suing boards of directors of companies with lax risk management programs?

   Shareholder suits bringing such claims principally implicate the analysis of oversight failures by the board of directors, as established by the Caremak (6) decision and its progeny. (7) Caremark held that the board of directors has a duty to ensure that appropriate "information and reporting systems" are in place to provide the board and top management with "timely, accurate information." (8) Although post-Caremark opinions and commentary have focused on law compliance programs, (9) the original Caremark decision contemplated a similar duty with respect to the corporation's "business performance." (10)

   There is no doctrinal reason that Caremark claims should not lie in cases in which the corporation suffered losses, not due to a failure to comply with applicable laws, but rather due to lax risk management. (11) Likewise, there is no basis in the underlying policy concerns for limiting Caremark to cases involving lax law compliance. Risk management and law compliance differ only in degree and not in kind. (12) Even so, some of those differences matter. Accordingly, courts need to develop a modified regime for deciding Caremark claims that do not involve law compliance issues. This Article concludes by outlining the relevant considerations.

2. ENTERPRISE RISK MANAGEMENT

   1. Overview

      Enterprise risk management is the process by which a business organization anticipates, prevents, and responds to uncertainties associated with the organization's strategic objectives. (13) Put another way, risk management is the process by which business organizations proactively determine the types and levels of risk appropriate for achieving the organization's strategic goals. (14) In recent decades, increasing attention has been paid to the evolving standards of enterprise risk management "as financial theory has advanced, new technology has made modeling of risks more feasible, and innovation has helped to find better ways to mitigate risk." (15)

      A large public corporation these days faces "a myriad of risks ... ranging from complex financial risk to quality control regarding material manufactured in China." (16) In general, however, the risks corporations face can be broadly categorized as operational, market, and credit. Operational risk encompasses such concerns as "inadequate systems, management failure, faulty controls, fraud, and human error." 17 Related concerns include failure to comply with applicable legal rules, accounting irregularities, bad business models, and strategic planning errors.

      Market risk can be broadly defined as changes in firm valuation linked to asset performance. For example, financial risk management views market risk as the expected variance of a portfolio's rate of return. (18) In contrast, the Basel Accords define market risk "as the risks (a) 'in the trading book of debt and equity instruments and related off-balance-sheet contracts and (b) foreign exchange and commodities risks."' (19) In either case, market risks are identified and evaluated by financial models that predict changes in prices, interest rates, liquidity, and foreign exchange rates. (20) Credit risk is defined as the possibility that a change in the credit quality of a counterparty will affect the firm's value.21 It thus includes not only the risk of default, but also such risks as the possibility that a credit-rating agency might downgrade the counterparty's creditworthiness. (22) The financial crisis revealed that the existing models for measuring and predicting consumer credit risk are poorly developed. (23)

      The tools for managing these risks ex ante include (1) avoiding risk by choosing to refrain from certain business activities, (2) transferring risk to third parties through hedging and insurance, (3) mitigating operational risk through preventive and responsive control measures, and (4) accepting that certain risks are necessary to generate the appropriate level of return. (24) Examples of such tools in action include the use of asset securitization and derivatives to hedge risk, (25) although they both also proved tempting devices for speculative excesses that contributed to the financial crisis. A rather different example, far removed from the complexities of modern financial instruments, is Microsoft's reliance on temporary workers. (26) It allows Microsoft to make quick personnel changes in response to evolving operational risks. (27)

      Best practices with respect to enterprise risk management are still evolving. (28) Indeed, while there are a number of widely used risk management frameworks, none has emerged as a dominant best practice. Basel 11, for example, is a set of international regulatory guidelines for determining the minimum acceptable levels of capital that financial institutions need to protect themselves from market, credit, and operating risk. (29) Despite having been designed for banks and similar financial firms, the Basel II framework has become extremely influential in the risk management industry generally. (30) Alternatively, many firms have adopted COSO's 2004 recommendations, even though they in fact provide "little guidance on how to design and execute an effective enterprise risk management framework." (31) The problem of choosing among competing best practice proposals is compounded by-or, perhaps, attributable to-the fact that different firms have different appetites for risk and face different types of risk, which means they have differing enterprise risk management needs. (32)

   2. Risk Management and the Financial Crisis of 2008-2009

      Risk management failures during the financial crisis took several different forms. At some firms, the problem was the absence of any system for managing risk. According to a 2002 survey of corporate directors, 43% said that their boards had either an ineffective risk management process or no process for identifying and managing risk at all. (33) According to the same survey, 36% of directors felt they had an incomplete understanding of the risks faced by their companies. (34)

      A 2008 Towers Perrin survey of CFOs suggests that risk management remained underdeveloped when the financial crisis hit. Seventy-two percent of the respondents, for example, "expressed concern about their own companies' risk management practices and ability to meet strategic plans." (35) Instructively, 42% "foresaw more energized involvement by boards of directors in risk management policies, processes and systems," (36) which implies that pre-crisis boards were inadequately engaged with risk management. This inference finds support in a 2006 observation that risk management was still "a work in progress at many boards." (37)

      Among firms that had undertaken risk management programs prior to the crisis, many used a silo approach in which different types of risk were managed by different teams within the firm using different processes. (38) This sizeable group of firms thus failed to adopt an enterprise management approach in which all risk areas were brought into a single, integrated, firm-wide process. (39) Indeed, according to a 2007 survey, only about ten percent of respondent firms had adopted such a holistic approach to risk management. (40)

      To be sure, some argue that even effective risk management programs could not have anticipated the financial crisis that struck in 2008. As the argument goes, risks fall into three broad categories: known problems, known unknowns, and unknown unknowns. (41) "There is a view that the financial crisis-while clearly a high-impact, rare-event risk-was unpredictable and possibly unmanageable, an unknown unknown." (42) In fact, however, there were warning signs of an approaching crisis in the housing market, including "easy home-mortgage credit terms combined with rapidly accelerating home prices and reportedly lax credit standards," (43) which, in turn, signaled risks for the financial services industry and then the economy as a whole.

      Evaluating such extremely low probability, but very high magnitude, risks is challenging because the outcomes associated with such risks do not follow a normal distribution. (44) Instead, they tend to have long or fat tails. (45) Because risk management is focused on extreme events, requiring one to quantify the probability and magnitude of severe loss events, an uncertainty generating such...