A recent Nixon Peabody memo reminds management teams to ensure risk management policies and procedures are updated, implemented and that any crises are resolved — ignoring a “red flag” may indicate a breach of management’s duty of care. The memo provides suggestions for updating company risk management programs, saying it’s now more important than ever, as many existing risk management programs may no longer be adequate during the COVID-19 pandemic. Here’s an excerpt:
Such procedures must be updated in accordance with state and federal recommendations and address not only the damage caused so far, but the arduous task of reopening, and the potential for similar or greater crises down the line. In particular, companies must have risk management policies and procedures updated for coronavirus in relation to:
– Possible industry-specific impacts
– Continuity of business issues
– Supply chain disruption
– Increased risk of litigation
– Decreased or impaired workforce
– Increased cybersecurity risks
Furthermore, under the current circumstances, company management cannot simply enact such risk management and step aside. Management is well-advised, for example, to set up COVID-19 subcommittees to report on a regular, if not daily, basis. Regular meetings, with minutes, must be held in response to the changing COVID-19 landscape to document the measures that are being taken, and the motivations for business decisions, to help stave off future regulator actions and derivative litigation.
Management should report about what it’s doing and what advice and guidance it’s relying on. The memo also says in certain circumstances it may be appropriate for management to bring in an inside or outside expert to present to the board – doing so can help bolster the board’s record of diligence. Management and the board should document the advice sought and how it was applied.
-Lynn Jokela, TheCorporateCounsel.net May 29, 2020