PART IV: Liability for failing risk management

In the last part of this thesis I examine in what manner the liability of directors for failing risk management may be determined. Among other things, I divide risk management-related errors roughly into five categories. As regards the grounds for director's liability, I discuss liability towards the company onder Article 2:9 DCC. When discussing the standards of conduct regarding risk management arising from Article 2:9 DCC, I focus on 13 prominent elements and on the basis thereof formulate a number of general premises.

First of all, when setting the threshold for director's liability for failing risk management, the risk philosophy of the Dutch legal system as regards entrepreneurial risk should be considered. This requires that the threshold for director's liability ought to be raised higher, because society is not served with rules that stimulate taking risk-avoiding decisions that bring little economie advantage. This is the general premise.

A second important point of view is that decisions taken by the management board should not be assessed on the basis of the outcome thereof. Directors are not always in control of the circumstances I describe as critical failure factors for board decisions (psychological, external, and interaal factors). Moreover, it is hard for the court to form an entirely objective opinion in this regard, for one thing because of the hindsight bias and curse of knowledge, that may influence its decision by knowledge of facts that occurred after the directors took their decisions. The mere materialisation of a risk resulting in damage does not necessarily justify the conclusion that a risk management failure has taken place. The adopted procedures and logic of the decision-making process will therefore in principle be the focus in the event of a judicial review.

Next I represent in my analysis that it is in fact incorrect to refer to raising the threshold in this regard. The liability standards include a number of elements, e.g. standard of conduct, causation and attribution. For each of these elements a threshold may be raised. Furthermore, the courts may observe reticence when applying a criterion. In chapter 9 I refer to raising a threshold for the standard of conduct and the attribution standard, and briefly discuss the judicial review standard.

I argue that it is possible to raise a high threshold for attribution by solely allowing attribution arising from fault — and not according to generally prevailing opinion — and by requiring a strict degree of fault: intent or wilful recklessness. One argument in favour of establishing a link with culpability is that this allows taking into account psychological facts that may impede an optimal decision-making. As is also mentioned in chapter 2, there seems in practice to be a rather more extensive form of attribution based on objective fault, or even according to generally prevailing opinion.

Furthermore, the threshold for the standard of conduct must be raised higher in view of the board's discretionary power and the bandwidth that may exist when assessing the board's acts: it is hard to determine whether a director has taken a "wrong" decision. It should also be noted that the height of the (standard of conduct) threshold may vary, depending on the nature of the risk. A case might be made for making a distinction between compliance and fmancial reporting-related risks on the one hand and risks that have not been imposed by the government on the other. As regards the former category the board has little discretionary power. It does not have the freedom to develop a policy that is aimed at non-compliance with the law. The board does however have a certain degree of discretionary power regarding the manner in which compliance with (open) standards is ensured within the company. The control of compliance and financial reporting related risks must provide a reasonable degree of certainty that the company will realise the objectives that are defined in that regard. For the control of risks with respect to operational and strategie objectives, a reasonable degree of certainty that the company makes progress in achieving these objectives should be obtained.

Another distinction on which a differentiation of the standards of conduct may be based is the criterion whether or not the voluntary risk taken by the company results in a risk for third parties. The standard of conduct might be more strict depending on whether such risk exists, specifically where these risks may have catastrophic consequences, e.g. health, environmental or system risks.

Finally, the voluntary acceptance of risks by persons involved in the company should lead to a limitation in their possibility to hold directors liable. This is for instance relevant for shareholders in respect of the risk appetite and risks that have been communicated.

The notion of risk management is actually a way of thinking and decisiontaking that is referred to in psychology literature as system 2 thinking: deliberate, purposeful, explicit and logical. It provides for decisions at board level being taken based on a rational decision-taking method and enables external communication on risks and the controlling thereof. Risk management also enables the board to supervise the company.

However, there are clear restrictions to the possibilities for managing the risks. These specifically concern the critical failure factors. External factors cannot be (properly) controlled by a company. Furthermore, it is also possible that individuals within the company make risk management failures. I have classified risk management-related errors roughly into five categories: i) absence of a risk management system, ii) system errors, iii) operational errors, iv) errors of judgment, and v) insufficient transparency in the market as regards risks and risk management. When assessing the facts of a case in which possibly a risk management failure has occurred, it is recommended to verify which category of risk management failure would apply. And also to verify at what level within the organisation this failure has taken place and to what extent directors were or should have been aware of that failure.

In particular, in respect of errors of judgment, the nature of the applicable standard of judicial review is relevant. In my view, the standard formulated by the Supreme Court for violation of the standard of conduct laid down in Article 2:138/248 DCC (manifestly improper management), i.e. whether "no reasonably thinking director would — under the same circumstances — have acted in the same way" is adequate, also in respect of liability under Article 2:9 DCC.

From case law I have derived 13 areas in which directors may be subject to the risk of being held liable:

From my study, I have derived a number of general requirements with respect to risk management that may be imposed on the board in respect of risk management. Generally speaking these can be described as follows. A prudent board must make sufficient efforts to ensure that processes are in place, adapted to the nature and the size of the company and its activities, to make sure that major risks within the companies are detected and understood; that these are made transparent within the organisation; and that these are reported to the board in order to enable the board to: i) take well-informed decisions, ii) avoid to all possible extent surprises, so that losses are incurred as much as possible in such places where and to such an extent as the board has calculated, iii) timely and adequately intervene in the event risks do materialise, and iv) publish correct information regarding the risks and the risk management within the company. The board must set up an adequate interaal control system that ensures implementation, compliance, and enforcement of the adopted rules and criteria. If there are serious indications of a material weakness in the set-up or operation of those systems, this should be investigated. In the event of material incidents the board must act by either enforcing the rules or by deciding, after weighing up the pros and cons, not to act or to adapt the rules.

As regards risk management directors are not under any obligation to achieve results, in the sense that they are responsible for preventing that the risks the company faces materialise or are fully under control. Such obligation would affect the nature of entrepreneurship; doing business without taking risks is inherently contradictory. Furthermore, given the diversity of risks, risk perceptions, and risk profiles it is unfeasible to objectively determine minimum uniform and concrete levels of risk management that would apply to each company, and which would have to be ensured by the directors at all times. Directors do not always control the critical failure factors for their decisions. Incurring a loss does not necessarily mean a risk management failure has taken place. And even in the event a risk management failure occurs, the question is whether this can be attributed to members of the board.