JP Morgan recently reported a surprising $2 billion loss that it attributed to "egregious" mistakes in its derivatives-based hedging strategy.  A news report (here) notes that CEO Jamie Dimon acknowledged that part of the problem was poor monitoring.  This made me think about Delaware's Caremark duty of oversight, which requires boards to implement information gathering and reporting systems designed to alert them to problems in the business.  As Stephen Bainbridge has noted (here), while the duty has typically been understood to cover violations of the law, there is a good argument to be made for including oversight of risk management.

The financial crisis of 2008 revealed serious and widespread risk management failures throughout the business community. Shareholder losses attributable to absent or poorly implemented risk management programs are enormous. Efforts to hold corporate boards of directors accountable for these failures likely will focus on so-called Caremark claims. The Caremark decision asserted that a board of directors has a duty to ensure that appropriate "information and reporting systems" are in place to provide the board and top management with "timely and accurate information." Although post-Caremark opinions and commentary have focused on law compliance programs, risk management programs do not differ in kind from the types of conduct that traditionally have been at issue in Caremark-type litigation. Risk management failures do differ in degree from law violations or accounting irregularities. In particular, risk taking and risk management are inextricably intertwined. Efforts to hold directors accountable for risk management failures thus threaten to morph into holding directors liable for bad business outcomes. Caremark claims premised on risk management failures thus uniquely implicate the concerns that animate the business judgment rule's prohibition of judicial review of business decisions. As Caremark is the most difficult theory of liability in corporate law, risk management is the most difficult variant of Caremark claims.

While I agree that it should be difficult to hold a board liable for failing to properly oversee a corporation's financial risk management, at some point the critical "utter failure" threshold is crossed and imposing liability is appropriate.  The critical questions are: (1) How do we define the risk exposure, such that an information gathering and reporting system's failure to bring it to the attention of the board constitutes an utter failure? (2) How well do the directors have to understand the risk, such that they have not utterly failed to exercise judgment in responding to the relevant reports?  Applying this analysis to JP Morgan's recent loss, I actually think an argument could be made that in light of JP Morgan's overall size a failure to bring the strategy to the board's attention might not constitute an utter failure of the reporting system.  Of course, that's assuming $2 billion is at the upper end of the range of potential losses implicated by the hedging strategy.  And that's assuming further that the masters of the universe implementing the strategy can actually accurately calculate their exposure.  All of which raises a final interesting question (at least for purposes of this post):  Should an inability to fully understand the risk exposure of a particular strategy or financial instrument constitute a per se violation of Caremark?  My current inclination is to answer that question in the affirmative.