Do CLOs, CROs, & CAEs Have a Duty to Brief Boards on MCOs & Risks?

Key Takeaways

• CLOs' Fiduciary Duty: CLOs have a fiduciary duty of care to inform the board of legal expectations regarding the oversight of mission-critical risks, especially those tied to compliance and legal matters.
• CROs and CAEs' Duty of Care: While not formal fiduciaries, CROs and CAEs have a heightened duty of care and often function similarly to fiduciaries when escalating significant risks related to compliance and mission-critical objectives to the board.
• Legal Precedents: Legal cases like In re McDonald’s and Marchand v. Barnhill highlight the critical role CLOs play in ensuring that boards meet their fiduciary responsibilities by staying informed on material risks.
• Regulatory Frameworks: CROs and CAEs are required by frameworks like SOX, SEC, OCC, Fed, and Basel to escalate material risks, particularly those that threaten compliance or other mission-critical functions, to the board.
• Improving Board Reporting: If a company isn’t adequately briefing the board on mission-critical risks, CROs and CAEs should engage with the CLO and CEO to discuss how to improve board reporting and ensure the board meets its fiduciary obligations.

Deep Dive

In his most recent article, Tim Leech explores whether Chief Legal Officers (CLOs), Chief Risk Officers (CROs), and Chief Audit Executives (CAEs) have a legal duty to brief the board on its fiduciary responsibilities related to escalating MCOs and associated risks. By diving into the roles of these executives, Tim Leech highlights their obligations to ensure that boards are well-informed about the risks that need to be managed and monitored to protect the organization.

Understanding the Fiduciary Responsibilities of CLOs, CROs, and CAEs

Corporate governance increasingly places emphasis on the responsibility of boards of directors to oversee mission-critical objectives (MCOs) and the associated risks. But who within the organization is responsible for ensuring that the board remains fully informed about its fiduciary duty to manage these risks? Specifically, do Chief Legal Officers (CLOs), Chief Risk Officers (CROs), and Chief Audit Executives (CAEs) have a legal obligation to alert the board about its fiduciary duty to oversee escalating mission-critical objectives and risks?

While the answer may vary depending on jurisdiction, it’s important to examine the roles and responsibilities of these executives. To gain a deeper understanding, I posed this question to ChatGPT to break down the obligations of CLOs, CROs, and CAEs in relation to the board's duty to oversee mission-critical risks.

TIM: Do Chief Legal Officers (CLOs), Chief Risk Officers (CROs), and Chief Audit Executives (CAEs) have a fiduciary duty to alert directors regarding escalating legal expectations boards should oversee mission-critical objectives (MCOs)/risks?

ChatGPT’s Response:

• CLOs: Yes—CLOs are generally seen as officers of the corporation who may owe fiduciary duties, especially the duty of care and duty of loyalty. Courts have signaled that CLOs have a responsibility to ensure the board is aware of legal risks, particularly those tied to compliance and mission-critical issues.
• CROs and CAEs: Not fiduciaries in the classic legal sense, but they do have a professional duty of care and possibly a functional fiduciary-like duty when it comes to escalating significant risk or control issues to the board, particularly if those risks relate to compliance or existential threats to the company.

A Deeper Breakdown: A Gatekeeper Role

The role of the CLO is fundamentally one of gatekeeper. CLOs are typically expected to ensure that boards are informed of material legal and compliance risks. Courts, particularly in Delaware, have increasingly emphasized this responsibility. For example, in In re McDonald’s Corp. Stockholder Derivative Litigation (2023) and Marchand v. Barnhill (2019), the courts highlighted the significance of CLOs acting as gatekeepers, helping boards meet their oversight duties.

Failure to alert the board about legal expectations, such as the duty to oversee mission-critical risks, could constitute a breach of the CLO's fiduciary duty of care or loyalty, especially if such a failure results in regulatory or legal exposure for the company.

CROs and CAEs: Duty of Care and Functional Fiduciary-Like Responsibilities

While CROs and CAEs may not be formal fiduciaries in the traditional sense, their roles still come with important professional obligations. They are expected to maintain the integrity of risk and audit reporting to the board, ensuring that significant risks—especially those tied to compliance and mission-critical activities—are escalated.

Regulatory frameworks such as SOX, SEC, OCC, Federal Reserve, and Basel guidelines require that material risks, particularly those related to compliance and risk management, be brought to the attention of the board. While CROs and CAEs may not be fiduciaries in the strictest sense, they are increasingly expected to function similarly to fiduciaries when it comes to escalating risks that could undermine the company's operations or compliance standing. Failure to escalate known risks may result in personal liability or regulatory sanctions.

Fiduciary Duty and Escalating Risks

• CLOs: Chief Legal Officers hold a fiduciary duty of care to inform the board of legal expectations concerning the oversight of mission-critical risks, particularly in relation to compliance and legal matters.
• CROs and CAEs: While not formal fiduciaries, CROs and CAEs do carry a heightened duty of care and diligence in ensuring that the board is made aware of risks that could threaten the organization. Their role increasingly functions in a manner similar to a fiduciary when it comes to escalating risks related to compliance and mission-critical activities.

If your company does not currently provide its board with comprehensive updates on mission-critical objectives and risks, CROs and CAEs should first discuss the need to brief the board on its fiduciary responsibility with the CLO and CEO. It is important to be mindful of potential resistance from CEOs who may not want the board to fully understand the extent of the risks the company faces. Nonetheless, CLOs, CROs, and CAEs have a crucial role in ensuring that the board has the information it needs to uphold its fiduciary duties.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.