‘Where Was the Board?'—The Essentials of Oversight

Increasing scrutiny is being applied to the role of board members of nonprofit hospitals and health systems when the organization suffers what third parties may consider “preventable” harm—whether financial or reputational. Some of this is attributable to the typical “second guessing” from the media, but some is also attributable to the legitimate interest of regulators in preserving the value of charitable assets. The third party concern is most often whether the organizational harm could have been prevented or mitigated by more active oversight by the governing body.

Such a “Where was the Board” approach is prompted by a number of recent developments. First is the unmistakable rise in reported instances of alleged fraud, gross misconduct or defalcation committed by, on behalf of or against nonprofit organizations and their officers/executives. Whether there is an actual increase in such activity or rather merely an increase in the media coverage of such activity is immaterial. The public, and charity regulators, are increasingly (and understandably) intolerant of any suggestion of abuse involving nonprofit organizations. Second is the recognition by regulators and legislators of the extent to which fraud, abuse and corporate malfeasance contribute to the rising cost of health care. Third is the increased pressure on nonprofit organizations to justify their favorable tax exempt status within the context of extreme budgetary pressures on both the state and federal levels; i.e., to demonstrate that government is receiving “bang” for its tax exemption “buck.” Fourth is the larger “culture of accountability” that has arisen in the aftermath of the recent recession, in which finger-pointing and attempts to assess personal responsibility are increasingly the order of the day. Somebody’s got to be blamed for this, right?

It is most certainly true that the personal liability risk associated with nonprofit board service remains quite minimal, except in the most egregious of circumstances. Health care and charity regulators are broadly supportive of board service, particularly when voluntary in nature. However, the risk that board member conduct may at some point be exposed to regulatory or media scrutiny (short of actual liability) is more within the range of probability. This is especially the case involving large, prominent nonprofit organizations; major or controversial transactions; and allegations of abuse or misconduct that threaten the organization’s reputation or asset base. In such situations, board members may be subject to an undesirable (and potentially public) review of their actions and conduct. That’s not what they signed up for.

Given this environment, corporate counsel can play a valuable role in advising the board on the essentials of its fundamental fiduciary obligation of oversight, the proper lines of authority between governance and management, effective board reporting mechanisms, and the importance of recognizing—and appropriately responding to—the warning flags of organizational and individual misconduct. This is particularly the case given a series of recent high-profile scandals involving nonprofit corporations and the increased emphasis by health care regulators on individual accountability for compliance violations. The general counsel is particularly well suited to provide the board with the necessary advice, education and reassurance that will allay unnecessary concerns, help sharpen individual conduct and allow the board to be more focused in the performance of its collective fiduciary duties. All of this should help to enhance the core relationship between the board and senior management.

What’s Been Going On?

The past year has seen more than its share of high profile scandals involving prominent nonprofit organizations. These are hurtful on a broad scale. The natural tendency for many boards is to marginalize those scandals by a “We’d never do that kind of thing” mentality. Yet, individually and collectively, these scandals serve to harm the interests of the broader nonprofit community. There they go again. To the general public, they serve to erode the previously held perspective that nonprofits deserve the benefit of the doubt given the nature of their activity. To legislatures and regulators, they serve as a reminder that nonprofit status is not, in and of itself, a guarantor of compliance—and of the need to question more closely the quality of nonprofit governance.

The most recent and dramatic example of this is the scandal that engulfed the Fiesta Bowl and its affiliated companies—all nonprofit, Internal Revenue Code Section 501(c)(3) entities. ¹Report of the Fiesta Bowl Special Investigative Committee, http://www.fiestabowl.org/_documents/reports/Press_Release_3-29-2011.pdf As has been widely reported, an internal investigation identified a series of allegations of problematic and potentially illegal actions involving its chief executive officer and other agents: (a) an apparent effort to reimburse employees for almost $50,000 in improper political campaign contributions allegedly made at the direction of the CEO; (b) a marred initial internal investigation replete with serious conflicts of interest; (c) an apparent internal conspiracy to hide the campaign contribution reimbursement scheme from the governing board and state charity officials; and (d) unauthorized and excessive compensation, as well as gifts and expenditures for nonbusiness, inappropriate purposes.

We don’t know the full story, of course; we weren’t in the board room and are in no position to judge the conduct of what is by all accounts a collection of highly regarded, well intentioned community leaders. Nevertheless, these unfortunate events served to publicly and loudly call into question the level of the board’s engagement in charity operations. The local media in particular focused on the effectiveness of governance oversight. Where was the board when all of this was going on? These concerns have not completely abated despite the apparent swiftness and thoroughness of the board’s reaction—commissioning a second internal investigation, instituting a series of internal operating and governance controls and procedures, replacing internal and external legal counsel and independent auditors. While these actions have served to preserve (at the cost of a $1 million fine) the organization’s crucial status with the Bowl Championship Series—one of the charity’s most significant assets—it remains to be seen whether state and or federal charity regulators will insist on additional operational, management or governance changes. From a broader perspective, the Fiesta Bowl fiasco serves as a costly reminder that scandals can and do occur at the most prominent of nonprofit organizations, and that the qualifications of individual board members are not, in and of themselves, a guarantor of organizational compliance.

We’ve seen similar scandals in the nonprofit health sector in recent months. For example, the governing board of the Kansas City University of Medicine and Dentistry suffered withering media criticism for alleged oversight failures with respect to its controversial CEO—whose management practices led to her indictment in March, 2011 by a federal grand jury on embezzlement charges. ²“Former University President Indicted for Embezzling $1.5 Million,” http://www.fbi.gov/kansascity/press-releases/2011/kc033111.htm; see also, Karen Pletz and Kansas City University of Medicine and Biosciences argue over who pays her legal bills, Kansas City Business Journal, Steve Vockrodt, Kansas City Business Journal, April 22, 2011. Her alleged fraud scheme included unauthorized compensation payments, and reimbursements for unauthorized personal expenses and fraudulent charitable contributions. The core of the media criticism was that a series of internal administrative developments were sufficient warning signs to the board of erratic executive behavior that, had it been acted on promptly, could have mitigated the harm. Another example involved the fall, 2010 public reprimand by the Massachusetts Attorney General of the governing board of Beth Israel Deaconess Medical Center. ³Massachusetts Attorney General Beth Israel Hospital Review, http://www.mass.gov/Cago/docs//nonprofit/Beth_Israel_Hosptial_Review_090110.pdf The attorney general was critical of what she identified as serious lapses in the independent board oversight of the CEO. She claimed these lapses contributed to material reputation damage to the institution when the CEO resigned following disclosure of allegations of improper relationships with several employees. Of particular concern to the attorney general was what she perceived as an insufficient governing board response to indications over time of improper executive behavior. These, and similar examples, serve to again prompt the question, “Where was the board?”

Concerns with the quality of the board’s oversight are also arising in the context of several recent health care compliance developments. Prominent among these is the increased emphasis of the OIG on its permissive exclusion program, with its “strict liability” provisions. OIG has made it clear that it intends to use this penalty to address concerns with medical device companies, pharmaceutical companies and health systems that build the cost of fines and penalties into the “cost of doing business.” The exclusion penalty is most likely to be applied to executives of companies that perceive themselves as “too big to fire” (i.e., immune to program exclusion because of the potential damage to program beneficiaries). ⁴ See, e.g., “Federal Lawyer Lewis Morris Says the Government’s Expanding Its Use of Debarmen,” Sue Reisinger, Corporate Counsel, March 4, 2011. Boards will be expected to conduct some basic analysis to determine if their organization fits OIG’s permissive exclusion profile. What is it about the health care sector that prompts such a draconian enforcement practice? Do we consider ourselves “too big to fire”?

Other recent compliance developments raise similar oversight concerns. The New York Medicaid Inspector General has adopted an aggressive enforcement posture with respect to the governing boards of Medicaid providers found to have compliance problems. Where a deficiency in board oversight practices is determined to have contributed to the organization’s Medicaid compliance issues, the Inspector General will consider corrective action involving the board. ⁵New York State Medicaid Inspector General Workplan FY 2011, http://www.omig.ny.gov/data/images/stories/work_plan/omig_work_plan_2010_2011.pdf In addition, the board and its quality of care committee should note OIG’s substantially increased emphasis on the False Claims Act implications of providing substandard care to Medicare and Medicaid beneficiaries. ⁶“Corporate Responsibility and Health Care Quality - A Resource for Health Care Boards of Directors,” Office of Inspector General, Department of Health & Human Services, and American Health Lawyers Association, Sept. 13, 2007, http://oig.hhs.gov/fraud/docs/complianceguidance/CorporateResponsibilityFinal%209-4-07.pdf Finally, the board and its compliance committee should be aware of significant recent federal District Court and Court of Appeals decisions finding violations of the Stark and Anti-Kickback laws, respectively, and of their implications for future enforcement activity. ⁷See, e.g., United States v. Borrasi, No. 09-4088 (7th Cir. May 4, 2011); United States ex rel. Singh v. Bradford Regional Medical Center, Civ. No. 04-186, 2010 U.S. LEXIS 119355 (W.D. Pa. Nov. 10, 2010).

These developments combine to serve as a useful reminder of the role that disciplined board oversight may play in lowering the organization’s legal and compliance risk profile, and in protecting the value of its assets and reputation.

When an organization suffers what is perceived as preventable harm, boards will not likely escape the typical media “Monday Morning Quarterbacking”: Had the board been awake, would this stuff have happened? That’s a constant, and no amount of board attentiveness is likely to prevent at least initial local media speculation and conjecture. It’s just the game they play. Further, some compliance violations are so complex or well-hidden that no amount of oversight will serve to prevent or mitigate the resulting harm. However, readily available evidence of effective oversight practices may allow for prompt, persuasive responses to related inquiries of state and federal regulators—which may themselves be prompted by the negative media coverage.

For those and other reasons, it is increasingly incumbent on boards to have a better understanding of the proper scope of their oversight obligations, and to sharpen their sensitivity to the warning signs of compliance problems.

What the Law Provides

>The Basic Duty. The director’s oversight obligation is one of two core components of the fundamental fiduciary duty of care (the other component being the decision-making function). In most states, the duty of care requires directors to act (a) in good faith, (b) with that level of care that an ordinarily prudent person would exercise in like circumstances; and (c) in a manner that they reasonably believe is in the best interests of the corporation. ⁸See. e.g., Section 8.30 “General Standards for Directors,” Revised Model Nonprofit Corporation Act (Prentice Hall Law & Business, 1987); Section 8.30, “Standards of Conduct for Directors,” Model Nonprofit Corporation Act, Third Edition (Prentice Hall Law & Business 2009). The duty of care in its most fundamental sense applies to the directors of both nonprofit and for-profit companies.

The oversight obligation involves the application of duty of care principles to the basic activity of the board in exercising supervision of the day-to-day business operations of the company; i.e., the exercise of reasonable care to confirm that corporate executives (to whom day-to-day operational responsibility has been delegated by the board) carry out their management responsibilities, and comply with the law and with organizational policies.

A series of Delaware court rulings, including the seminal Caremark decision, are broadly recognized as framing the parameters of the oversight obligation. ⁹In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996); Stone v. Ritter, 911 A.2d 362, (Del. 2006); In re Citigroup, Inc. Shareholder Derivative Litigation, 964 A.2d 106 (Del. Ch. 2009). These rulings provide that directors have certain responsibilities to implement and monitor a system of oversight; i.e., a corporate information and reporting system that is adequate to allow directors to know about and prevent wrongdoing that could cause losses to the company. Such a system should assure that appropriate information as to organizational risk and legal compliance will come to the board’s attention in a timely manner as a manner of ordinary operations.

There is no “one size fits all” compliance or informational reporting system; the level of detail that is appropriate for such a system is a matter of the board’s informed business judgment. Caremark and its progeny also acknowledge that no rationally designed and implemented compliance system will eliminate the potential that the corporation or its agents will violate the law, or otherwise fail to identify corporate acts inconsistent with law. In other words, no matter how effective a compliance oversight plan may be, ¹⁰Id. stuff’s going to happen.

In this context, the board’s level of attentiveness is a critical factor. Board members are expected to exercise general supervision and control of corporate officers. Yet, the Caremark line of cases don’t hold the board to a standard of “proactive diligence,” requiring that it “ferret out” compliance problems in the absence of specific warning signs. Directors are not expected to mimic “The Mentalist” and anticipate future compliance problems of the organization. Rather, board action is expected in circumstances when suspicions are aroused, or should be aroused. ¹¹Caremark, supra. You know, when the proverbial “red flags” start waving. In other words, action is expected when directors confront extraordinary facts or circumstances of a material nature (e.g., suggestions of defalcation, self-dealing, fraud or similar issues). That’s when the basic duty to make reasonable inquiry, so central to the oversight obligation, is “ratcheted up.” In these circumstances, board members are expected to make further inquiry unless and until their concerns are satisfactorily addressed or otherwise favorably resolved. And it’s OK to be a bit of a “pain in the tail” if necessary in order to adequately pursue the inquiry. That’s the very essence of independent oversight.

Absent these kinds of suspicious developments, board members are entitled to rely on the executive leadership team in the performance of their duties and in their management of the compliance program.

>The Liability Threshold. The good news for directors is that the leading cases establish an extremely high burden for finding liability for breach of the oversight obligation. The Caremark cases have consistently held that such liability is based on the concept of good faith (i.e., honesty of purpose). ¹²Id. These cases provide that, in order to establish oversight liability, a plaintiff is required to demonstrate that the directors knew they were not discharging their fiduciary obligations or that by their actions they demonstrated a conscious disregard for their responsibilities; e.g., by failing to act in the face of a known duty to act. ¹³See, e.g., Stone, 911 A. 2d at 370. Examples of such conscious disregard could include either (a) “utterly failing” to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failing to monitor or oversee its obligations, thus disabling themselves from being informed of risks or problems requiring the board’s attention. ¹⁴Id.

Sounds like “bullet proof” protection, right? Well, not necessarily…

“The Catch”

Nonprofit boards should be cautioned against excessive reliance on the Caremark standard for director oversight liability; it’s just not that simple. Depending upon the facts at hand, it should not be assumed that a state charity official or court reviewing the actions of a nonprofit board under similar circumstances would reach the same conclusions as the Delaware courts in Caremark and its progeny. These courts often, directly or indirectly, consider the role of the capital markets as offering the ultimate form of redress for failures of management and governance. In so doing, they recognize the possibility that the markets—and not the judiciary—are the more appropriate party to apportion liability/accountability based on board member conduct made in good faith.

Such a “market remedy” is not directly available in the nonprofit context, where the state attorney general, rather than shareholders, is the principal agent of redress. In the nonprofit model, the governing board is perceived as the “first line of defense” of charitable interests. Membership rights and derivative powers may not be perceived as an oversight function equivalent to the power of the markets. Accordingly, state charity officials may be less willing to interpret significant board oversight lapses under the Caremark standard of “conscious disregard.” This is particularly the case if they conclude that ample information had been made available to the board in order for it to take some responsive action to protect charitable assets—including the reputation of the organization. In such cases, the charity officials may feel more compelled to intervene.

This does not mean that the Delaware cases aren’t highly instructive of public policy concerning director liability for oversight lapses. These cases speak loudly to the need to establish lack of good faith as a necessary condition to liability. It does mean, however, that when evaluating a “where was the board” issue, a state charity official may interpret gross negligence, or lack of good faith, differently than the Delaware courts.

A Recommended Action Plan

Corporate counsel can support the board in its exercise of its oversight function and in reducing its associated liability profile. Advice can be provided on measures the board can take (with executive support) to improve its ability to intervene and prevent/mitigate frauds or other wrongdoing that could expose the nonprofit to risk of loss. Elements of such an “action plan” might profitably include the following:

1. Flag Waving. The board can always benefit from an update on its oversight obligations. Of more immediate interest, however, is education on the types of circumstances that might require board inquiry and, possibly, active investigation; i.e., to help identify what a “red flag”) is in the context of corporate operations. From the proverbial “10,00 foot level,” a “red flag is information that on its own, or in combination with other, previously disclosed information, would prompt a prudent person, in a similar situation, to take immediate action. ¹⁵See Gentile and Christiansen, “In re Citigroup: The Birth Announcement and Obituary of the Duty of Business Performance Oversight”; Bloomberg Law Reports Vol. 3, No. 19. There is no all-inclusive list of indicators, but to paraphrase the late U.S. Supreme Court Justice Potter Stewart, you’re likely to know if when you see it. But, it helps to receive education on what to look for, the proper threshold of interest. It’s not something that prompts a raised eyebrow or a cautious stroke of the chin. Rather, it’s more of a, “that doesn’t look right at all” moment.

2. Information Flow. There is value in reviewing the sufficiency of the information flow from senior management—or the field—to key committees (e.g., audit and compliance) and to the board. Is it working to get key “red” or “yellow” flag information to the board in a timely manner? Is there a clear understanding from the board to senior management as to the type of risk/compliance-related information that must come to the board or a committee?

3. Staffing. Does the board have the right people in place at the key positions—general counsel, chief compliance officer, internal auditor, outside counsel and independent auditors—so that it’s more likely than not to receive signals of compliance problems and other “red flags”? Are these executives and advisors provided with the proper funding and guidance as to the board’s compliance expectations? Is the board truly establishing the requisite “tone at the top”?

4. Coordination. The board needs to be proactive in preventing “silos” within management groups with responsibility for legal, compliance and internal audit. Is everyone talking to each other? Is there proper internal coordination? When any of the compliance officer, general counsel or internal auditor presents to the board or a key committee, is he/she sharing information that is also known to the others?

5. Reporting. Along the same lines, the board should insist on reporting relationships that are supportive of its oversight responsibility. This includes establishing specific guidelines with respect to levels of authority within the corporation; i.e., matters that require board approval, matters that require board notification, and matters on which the CEO may act unilaterally. Similarly, the board should insist that the general counsel is in attendance at all meetings of the board and key committees, that there is periodic executive session meetings with the general counsel, and that the compliance officer similarly has direct access to the board.

6. Attentiveness. The seeds of director liability can grow from evidence of a casual approach to oversight: e.g., a lack of familiarity with the board agenda; failure to invest the time in meeting preparation or in a specific board topic; poor meeting attendance; excessive reliance on, or deference to, senior management; failure to exercise “constructive skepticism”; and/or incuriosity.

7. Minutes. A little “self help” is warranted here. Assist the ability of the board and key committees to demonstrate proper fiduciary conduct through meeting minutes that adequately demonstrate attentiveness to oversight concerns. This extends to meetings of independent members in executive session.

8. Independence. Assuring independence of the governing board from executive management, whether it relates to conflicts of interest, executive compensation, dual office holding, or diligent management oversight, is critical to the effective exercise of the oversight function. The board must balance appropriate deference to valued executives with the ongoing need for vigorous and independent oversight of such executives.

When health care companies suffer preventable harm, Where Was the Board? is infrequently the right question, is rarely the fair question, but should always be the expected question. The law recognizes that no corporate reporting plan will be foolproof. Significant legal, compliance, and ethical issues are bound to occur, the board’s good faith notwithstanding. The key is to position the board to identify and act on those issues when they are presented.

Where was the board? In charge, that’s where.