Developing a D&O risk management strategy
January 2012 | TALKINGPOINT | RISK MANAGEMENT
John R. Phelps of the Risk and Insurance Management Society, Inc. (RIMS) moderates a discussion on developing D&O risk management strategies between Harold P. Reichwald at Manatt, Phelps & Phillips, LLP, Jeffrey S. Grange at Torus Insurance, and Lawrence Racioppo at Towers Watson.
Phelps: There is little doubt that D&Os around the world find themselves in a challenging business environment. In your opinion, what are the key personal risks faced by corporate leaders today?
Reichwald: Business organisations today operate in a highly complex, rapidly changing global environment. Often decisions taken in good faith turn out to have been wrongheaded for a variety of reasons. The marketplace provides little tolerance for costly mistakes by directors and executive officers even when made honestly and in good faith. In a litigious society, persons who claim to have been harmed by those decisions are quick to blame D&Os for losses and to seek compensation for those losses from the key officers and directors personally. This attempt at risk transference needs to be met with a well-structured program that combines an understanding and assessment of the organisation’s risk parameters, an effective system for ameliorating those risks, and an encompassing D&O insurance program.
Grange: D&Os face increased regulatory scrutiny and an ever-expanding burden of compliance. Every dimension of traditional risk is morphing and translating into new exposures. D&Os confront new and emerging risks as technology transforms the business models at a breakneck pace. As the regulatory pendulum moves away from D&Os, insureds are operating in an environment of heightened legal liability especially around corporate governance, financial disclosure, and consumer protection. The risks and exposures that arise from technology, content dissemination, privacy and network security are now an everyday part of doing business. Never has there been a point where the personal assets of D&Os are more at risk.
Racioppo: Regardless of whether you are acting on behalf of a public organisation or a non-profit agency, all D&Os have the responsibility and duties of care, loyalty and obedience to many parties including the organisation, shareholders, creditors, customers, vendors, competitors, and regulatory agencies. Their personal assets are at risk if they fail to meet these standards. That said, one of the interesting things we have seen in the D&O arena is the ‘sea change’ that has occurred over the past few years from a litigation standpoint. It is no longer solely the traditional securities class action claims that keeps D&Os awake at night. There has been a notable increase in many other types of lawsuits, including securities fraud cases – often brought by regulatory and law enforcement agencies; breach of fiduciary duty cases – ‘merger objection lawsuits’; as well as derivative actions.
Phelps: Are you seeing more companies implement risk management frameworks designed specifically to protect their D&Os against potential court battles, costly settlements and tougher penalties?
Grange: Effective risk management is a three prong effort of risk identification, risk mitigation, and risk transfer. With its overhaul of corporate governance and financial disclosure, the Dodd-Frank Wall Street Reform and Consumer Protection Act is massive in scope. It extends regulatory oversight to private and public companies and their D&Os, and reaches far beyond the Sarbanes-Oxley Act of 2002. Dodd Frank, the Foreign Corrupt Practices Act, Health Information Technology for Economic and Clinical Health Act, and the Fair Labor Standards Act, together with the burden of compliance, will lead to increased compliance costs, new avenues of liability, and potential litigation for private and public companies, small and large. Early identification of legal, regulatory and compliance risks as well as a holistic, enterprise wide operational risk management framework reduces the probability of loss. The best defence for D&Os against potential lengthy court battles, costly settlements, and tougher fines and penalties is loss avoidance. In the event that losses occur their early identification mitigates their ultimate severity.
Racioppo: There are a variety of steps that well-advised companies are taking as part of their day-to-day operations in order to reduce their risk of securities litigation. These steps include insider trading controls, disclosure controls, and advance preparation to manage the process when bad news does arrive. The typical securities fraud lawsuit is triggered by a company’s announcement of bad news followed by a significant drop in the company’s stock price. The single most important step for a company to reduce its securities litigation exposure is to institute procedures to eliminate insiders trading their shares of the company’s stock in suspicious amounts at suspicious times. Well-advised companies will review with their outside counsel the possibility of instituting written insider trading guidelines that identify procedures governing all trades in company securities by directors, officers and employees. Well-advised companies also protect themselves from securities litigation risks by using the company’s periodic SEC reports and other regular shareholder reports as an opportunity for ‘defensive disclosure’ of known trends, uncertainties, and business risks that the company faces. Finally, and in order to be prepared when problems do arise, companies seeking to manage their securities litigation risk will have detailed procedures in place in order to face the challenges that can arise when the company has bad news to disclose.
Reichwald: Perhaps the most significant effort has been the promotion of an integrated framework of enterprise risk management, especially in regulated industries such as banking and healthcare. To that end, the effort has been to focus on a series of components such as the organisation’s internal environment, culture, and values; the establishment of key objectives with which to align risk processes with the mission of the organisation; the likely effect of outside events on the organisation; risk assessment and response; establishment of mechanisms to control identified risks; and internal controls reflecting the adequacy of information and monitoring of risk management. Enterprise risk management also provides a significant level of protection to D&Os from claims of outside stakeholders because it enables these decision makers to minimise or eliminate potential regulatory issues, court battles and expensive litigation, and reputation costs and settlement expense. Given its importance, a separate risk management committee of a board of directors is likely to become prominent.
Phelps: What steps can D&Os take to protect themselves in the current market? How important is it to ensure their companies maintain legal and regulatory compliance, and establish a system of governance based on independence and accountability?
Racioppo: Whether it be ensuring compliance with the Foreign Corrupt Practices Act or the UK Bribery Act, navigating the implications of the Dodd-Frank Act or trying to understand the tremendous risk posed by cyber threats, D&Os arguably face more pressure than ever. At the risk of stating the obvious, D&Os need to be engaged so that in the event of a lawsuit they are in a position to demonstrate that they have met the ‘business judgment rule’, which is ultimately the first line of defence. In terms of their D&O program, it is important that D&Os conduct an independent review of their D&O policies. This will provide a thorough analysis as to how the current structure may impact them personally in the event of a claim. To that end, any substantive concerns can be raised with the organisation and considered as part of the renewal process.
Reichwald: D&Os must understand their respective responsibilities. Directors are charged with overseeing the business enterprise and assuring that management is executing the strategic plan for the organisation. Officers are entrusted with the day-to-day management of the business. Both groups owe a duty of loyalty, care and obedience to the organisation. These duties can only be met if D&Os act independently without regard to personal loyalties and friendships. Boards of directors should have a variety of skill sets sufficient to assure that all aspects of the business are clearly understood. Executive management must understand that the key to overall risk management is a dynamic and reinforcing relationship between a board of directors and executive management. The CEO must not seek to manage the board’s activities or deliberative process. Board minutes should be reflective of the deliberative process so that evidence will exist that the directors’ actions met the required standard of performance.
Grange: Companies are making substantial investments to build robust and efficacious risk management frameworks at an enterprise level to comprehensively take inventory of their legal, financial, operational, and reputational risks. Private and public companies are developing multi-faceted strategies to mitigate these risks, especially around full, fair, and timely financial disclosure, ensuring the independence of audit and accounting disciplines as well as adding strong independent directors to their board of directors. The conduct and compliance of companies and their D&Os goes directly to the reputation, creditability, confidence, and brand in the eyes of customers, employees, partners, vendors, creditors, regulators, and ultimately shareholders. Superior risk management, quality assurance, and effective enterprise wide compliance, are tangible competitive advantages that go right to the fundamental valuation of the enterprise and differentiate a company from its peers.
Phelps: How have D&O insurance policies evolved to meet the needs of corporate leaders and their companies over the last few years? What changes have you seen in policy coverage and pricing, for example?
Reichwald: D&O insurance contracts continuously evolve in a dynamic and changing economic environment. Going forward, corporate leaders are likely to continue to push for expanded coverage of ‘special investigations’, at least when undertaken by a governmental authority. The ‘insured vs. insured’ exclusion is likely to remain but the ‘regulatory exclusion’ might change in the face of competitive pressures. I would expect there will be efforts to clarify the sometimes murky interplay of corporate advancement of defence costs and indemnification and insurance coverage. Demand for higher policy limits in the face of mounting defence costs will affect pricing and there is likely to be greater emphasis on ‘Side A’ coverage, particularly to cover gaps in indemnification protections.
Grange: In the past the potential consequences of operational failures, and their downstream compliance violations and regulatory investigations, included fines and penalties which are outside the scope of coverage of a typical D&O policy. The definition of loss under some D&O policies has evolved where coverage is afforded to indemnify defence costs in any jurisdiction where fines and penalties are legally insurable on the one hand and where the companies may not be legally permitted to indemnify their D&Os. For the individual director and officer defendants, the standard D&O policy would provide coverage for most of the kinds of claims asserted in the follow-on civil litigation, subject to the policy’s other terms and conditions.
However, most D&O policies also exclude coverage for claims arising out of fraudulent, dishonest, or criminal acts. These are often referred to as the conduct exclusions. Compliance violations and regulatory investigations often include elements of alleged fraudulent, dishonest, or criminal acts, breaches of the fiduciary duties of the D&Os in their corporate oversight, and operational failure of the company’s internal controls. D&O policies have evolved to provide coverage for the defence of claims made against the individual D&O defendants up to the adjudication alleging of the alleged excluded conduct. The increased tempo of regulatory investigation, the widening sweep of compliance, and the more vigorous posture of regulators to enforcement has increased both the frequency and cost of regulatory investigations. Many D&O policies exclude completely, or significantly limit, coverage for investigations under the definition of a claim. Coverage is currently available and affordable. A word of caution however – as 2012 fast approaches today’s pricing environment for D&O liability is in transition. We are beginning to see an uptick in prices. As the number of regulatory investigations increase, and defence costs continue apace, D&O buyers need to be prepared for the possibility for modest price increases on their program where the insureds have sustained losses or have increased risk and exposure.
Racioppo: It is clear that one of the fallouts from the subprime and credit crisis is increased regulatory scrutiny. We have seen a tremendous increase in regulatory claims, most notably in the financial sector. From a market standpoint, we have seen a variety of policies introduced to allow firms to consider transferring some of this increased regulatory risk through insurance. Examples include policies that expand the definition of claim for individual insureds for less ‘formal’ investigations as well as policies designed to extend coverage to the organisation itself for ‘investigations’. Though we have seen instances whereby the market is beginning to shift, the fact remains that we continue to operate in an environment that is highly competitive. There are many insurers chasing fewer clients, which continues to have an impact on pricing.
Phelps: Could you highlight some of the major issues to consider when structuring a D&O insurance policy? What implications can arise – both for D&Os personally and for their companies – from a failure to properly evaluate insurance documentation?
Grange: Directors, officers, risk managers and general counsel of private and public companies alike, should work with their trusted insurance advisers – agents and brokers – to ensure: coverage is afforded under their D&O policy for fines and penalties where insurable by law; Side A defence cost coverage is included for individual defendant directors and officers for any claims made against them arising out of alleged fraud, dishonesty and criminal acts; and the definition of claim includes coverage for formal regulatory investigations. In addition, companies should ensure that they are purchasing the necessary and sufficient D&O indemnity limits to ensure that the costs of responding to regulatory investigations do not exhaust available policy limits, thereby leaving the individual D&Os with no limits available to indemnify the individual D&Os for settlements, fines, penalties, or follow in securities lawsuits, or civil liability action brought by disgruntled parties and stakeholders.
Racioppo: It is critical for organisations to understand the scope of coverage that is available under a D&O policy and what it is they are trying to achieve when structuring their company’s program. Most D&O policies include a blend of coverage. Specifically, coverage for ‘non-indemnifiable’ matters – often referred to as Side A coverage; as well as coverage to the company itself for the reimbursement of their indemnification obligations – Side B; and coverage to the organisation itself for direct claims – Side C. Note that for public organisations, Side C coverage is generally limited to securities matters. Beyond that, one of the biggest misconceptions we see is when organisations falsely believe that a particular coverage extension is always in their best interest. While a particular coverage extension may be deemed ‘broader’, such language should only be negotiated after careful discussion with the client so as to consider the potential downside.
Reichwald: There is no standard form of policy and the issues are numerous. With that in mind, there should be significant negotiation over the key elements of the coverage and the exclusions, some of which require very close scrutiny and understanding of the legal implications. Among these areas are the fraud or personal profit exclusions and the issues of ‘final adjudication’ or causation in that context; the elimination of the exclusion for regulatory action, which is noteworthy in the banking context; clear claims reporting requirements for the insured coupled with the very narrowest definition of ‘claims’ for this purpose; and coverage for the broadest of ‘claims’ including formally initiated ‘investigations’ with the attendant tension with the definition of ‘claim’ for reporting purposes; and sufficiently high limits to cover the costs of multiple counsel and extensive potential liability. Other areas for negotiation include defined triggering events for excess insurance coverage that allow exhaustion to occur even absent full participation by the underlying layers; and strong severability provisions so that each individual insured is treated separately and is not tarred by misstatements of any co-insured. A failure to understand these issues and the published court decisions fully can lead to an unintentional failure of coverage.
Phelps: How should D&Os assure themselves that the amounts, depth and breadth of coverages are adequate, and remain adequate, given the level of identified risk in the marketplace in which the company operates?
Racioppo: The corporate and securities plaintiffs’ bar is opportunistic and resourceful. The existence of an active and opportunistic plaintiffs’ bar ensures that as events move forward, companies and their D&Os will continue to face potential liability exposure from corporate and securities litigation. Whether the risks ahead relate to cyber security, climate change, or another exposure that has not yet emerged, well advised companies and their senior officials will enlist the assistance of their legal counsel in order to ensure that they are taking steps to try to reduce their litigation risks. Well-advised companies will also consult with their insurance advisers in order to ensure that they and their D&Os have the best insurance available to protect them in the event that a lawsuit should arise.
Reichwald: Start with a knowledgeable broker, not merely a personal friend in the insurance brokerage business. Get advice from experienced independent counsel who is conversant with the issues and the legal trends, and not from the company’s general counsel. Make certain that the broker and counsel have an opportunity to present their recommendations in writing to executive management and to the board as a whole, not merely to the company’s chief risk manager or head of insurance. Allow the board members to get comfortable with the coverage as a whole and to provide feedback to management. Consult with counsel at least quarterly to determine from the defined group within the company whether any events have occurred which might be considered a claim for insurance reporting purposes, keeping in mind that many insureds prefer a broad definition to assure maximum coverage without being cognisant of the attendant reporting requirements.
Grange: In partnership with their trusted insurance agents and brokers, as well as outside counsel and insurance carriers, it is important to regularly revisit the terms and conditions of the D&O policy coverage to ensure that the language is broad, comprehensive, current, and contemporary with the rapidly changing legal environment. In addition, benchmarking the company’s coverage against relevant industry peers to ensure that it is positioned to respond to emerging legal liability, regulatory and claims trends, as well as to gauge that the limits of liability purchased are adequate for the risk facing the D&Os.
Phelps: What trends do you expect to see in D&O risk management going forward? Since it is unlikely that personal risks to D&Os will decline, do you expect more of them will seek independent legal advice to identify mitigation strategies?
Reichwald: I expect there will be a continuing request by directors to have access to independent outside counsel paid for by the company, without the need to interact with the company’s legal department. This also would include the work of board committees such as the audit committee, which is often on the frontline in dealing with risks and claims. In many cases, outside counsel will be asked to attend board meetings so as to provide real time advice regarding boardroom deliberations. The board increasingly will focus on the setting of risk parameters and the follow-on monitoring of compliance with those parameters. Also, both directors and officers are likely to want higher policy limits to adequately cover defence costs as well as potential liabilities. Inasmuch as there is D&O liability for mistaken decisions not taken honestly and in good faith, there will be an increased focus on the possibility of personal conflicts in decision-making.
Grange: Both existing and emerging risks facing D&Os today abound, and there is an accompanying proliferation of new avenues of potential liability As new exposures emerge, underwriters must adapt and work with companies and their D&Os, as well as their outside advisers – including insurance agents and outside legal counsel – to develop risk transfer products that mitigate and transfer these risks in an efficient and cost effective manner.
Racioppo: This is probably the question that D&O insurance professionals are asked most frequently. There are a variety of factors that go into the limits selection process, including a blend of quantitative analysis and corporate philosophy. The analysis also differs to some degree based on whether we are talking about a public company or a private company. In terms of quantitative analysis, firms typically like to review peer purchasing patterns; that is, how much D&O insurance similarly-sized firms purchase. This is often based on a firm’s market capitalisation, if publicly traded, or total asset size, if privately held. Public firms will also want to take into account other metrics, including potential securities class action litigation settlement exposure, which takes into account current market capitalisation and industry class. Of course, it would be short-sighted to base the limits decision on ‘what the other guy does’ and history has shown that past settlement data is really not a reliable indicator of predicting future settlements. Beyond metrics, at some point it comes down to less quantifiable analysis and more of a philosophical debate. Issues such as risk tolerance, level of protection desired by board members, and costs need to be considered.
John R. Phelps is corporate secretary at the Risk and Insurance Management Society, Inc. (RIMS), where he is on the board of directors. He was an early advocate for the development of Enterprise and Strategic Risk Management as areas of focus within RIMS. He was instrumental in the development of the book ‘RIMS Maturity Model for ERM, ERM for Dummies’ and the educational program ‘Enterprise Wide Risk Management’ administered by the American Institute for CPCU. Mr Phelps is also a director at the healthcare company Blue Cross and Blue Shield of Florida, Inc., where he is responsible for the management and development of the company’s comprehensive Enterprise Risk Management (ERM) program.
Harold Reichwald is co-chair of the Financial Services and Banking practice at Manatt, Phelps, & Phillips, and has counselled a variety of banks and specialty finance institutions. He and has extensive banking and finance experience including representation of boards of directors and other business governance matters, including issues of D&O insurance; representation of domestic and foreign financial institutions before the FDIC, the Federal Reserve Board and other bank regulatory agencies in connection with new product development, chartering new banks and branches, and issues arising from the bank examination process. Mr Reichwald can be contacted on + 1 (310) 312 4148 or by email: firstname.lastname@example.org.
Jeffrey S. Grange is senior vice president and chief underwriting officer of professional lines at Torus Insurance. Mr Grange is a leading expert on management professional liability, D&O liability, operational risk, employee crime, unauthorised (rogue) trading, cyber crime, and e-risk management. He joined Torus in October 2010 from Chubb where he was senior vice president and worldwide manager for their professional liability businesses. He holds a BSc in Human Physiology and a BA in Political Science from McGill University in Montreal, Quebec, Canada. He can be contacted on +1 (201) 830 2534 or by email: email@example.com.
Lawrence Racioppo is the leader of Towers Watson’s executive liability practice, part of the company’s insurance brokerage business. Mr Racioppo leads Towers Watson’s efforts to expand the company’s analytical and brokerage capabilities in the executive liability space, working with corporate clients on all transaction-related issues including policy language, program design, and marketing for specialty coverages, including directors and officers liability, employment practices liability, pension trust liability, fidelity and related professional liability lines. He received his Bachelor of Business Administration degree from Texas A&M University, and earned his Masters of Business Administration from Pace University. He can be contacted on +1 (203) 363 1907 or by email: firstname.lastname@example.org.
© Financier Worldwide
John R. Phelps
Risk and Insurance Management Society, Inc. (RIMS)
Harold P. Reichwald
Manatt, Phelps & Phillips, LLP
Jeffrey S. Grange