The recent indictment of former Penn State University President Graham Spanier helps assure that the broader governance themes raised by the Jerry Sandusky sexual abuse scandal will remain in the forefront—not only with the media, but also in corporate boardrooms.

This is primarily because of the continuing weight attributed by multiple constituencies to the investigative report of Judge Louis Freeh with respect to the underlying scandal. Much of the Freeh Report’s focus is on fiduciary conduct—both past and recommended. The report’s core governance themes transcend the unique, horrible nature of the underlying facts. It is, in large part, a significant commentary on the oversight responsibilities of a governing board. So when the Freeh Report is cited in media reports as contributing to the charges filed against Spanier—as it was similarly cited as a basis for the July 2012 NCAA sanctions against the university’s athletic program—the exceptionally long “shelf life” of this investigative report becomes more clear.

And that should cause corporate boards, and their governance counsel, to pause.

As long as the Freeh Report remains in the media spotlight, the possibility increases for greater public discourse on the two key governance topics raised by the report: the board’s awareness and appreciation of major risks, and the role of executive leadership in notifying the board of those risks.

What the report characterizes as essentially a fiduciary “blindness to risk” has direct relevance to broader corporate governance practices. This is due in large part to a combination of Judge Freeh’s reputation for rectitude; the continuing, intense associated media coverage; and an increasing concern with potential fault lines in internal corporate reporting systems—especially with respect to allegations that threaten great harm to the organizational reputation.

What did the board know, when did they know it, how did they find out about it and what did they do about it? Every new Freeh/Penn State headline carries with it the risk of greater media and regulatory interest in blindness-to-risk concerns at the corporate board level.

Risk awareness

There can be no question that the Freeh Report is highly fact-specific, addresses crimes and allegations almost unimaginable in scope, and reflects the conclusions of outside advisers and not of a judicial body. Those distinctions notwithstanding, the Spanier indictment offers an important opportunity for governance counsel to review with the board and executive leadership the relevance of the report’s conclusions to the larger corporate community.

A crucial governance obligation is to assure the effectiveness of the organizational compliance program, particularly as it serves to disclose to the board the major risks facing the organization. Risk data must absolutely get to the board.

Similarly, the board must be appropriately responsive to developments that arouse—or should arouse—suspicion. Executive staff must assist the board’s ability to make due inquiry with respect to particular risks. This must be a continuous educational process, not a one-time-only event.

In this regard, the Freeh Report concluded that the board failed in its oversight duties by not making inquiry about important university information and—once they became aware of the grand jury investigation—by failing to recognize the potential risk to the university and then to make reasonable inquiry. The report made repeated reference to the allegation that senior management did not initially disclose to the board the incidents and the related investigations.

Culture of compliance

The board has an unequivocal obligation to maintain a culture of legal and ethical compliance within the organization. This extends to assuring that compliance policies and procedures are applied uniformly across the organization with no exception—even with respect to departments or individuals that contribute significantly to the organization’s financial health or reputation. It also extends to supporting an environment in which good-faith whistleblowers may report evidence of wrongdoing without fear of retribution.

In this regard, the Freeh Report concluded that the board failed in its oversight duties by not creating an environment (i.e., “tone at the top”) in which university officials felt accountable.

In addition, it was noted that the Penn State football program had opted out of some university programs, including the highly relevant Clery Act compliance. It was also noted that several witnesses to allegedly criminal acts failed to disclose these acts because of fear for their jobs.

Excessive deference

There can be a dangerous temptation for directors to be excessively deferential to senior executive officers, especially those who are perceived to have contributed significantly to the organization’s financial success and enhanced reputation.

Respect for individual executive performance must not prevent a director from exercising constructive skepticism. Boardroom culture must encourage directors to pursue matters of concern and to raise questions that may be controversial. The board is responsible for creating an environment that holds executive management accountable.

In this regard, the Freeh Report concluded that the board was “overconfident” with respect to the university president’s ability to lead, and that a “culture of reverence” for the football program was ingrained at all levels of the campus community. The report was critical of what it described as a president who discouraged discussion and dissent within the boardroom.

Reputation as an organizational asset

An increasingly key component of a director’s oversight obligation is the preservation of the reputation of the organization. Reputation is every bit as much an asset of the organization as an investment account or a real estate holding, and arguably more difficult to restore to full value when it has suffered damage or loss.

Directors are obligated to consider the short- and long-term reputational impact of their actions—and nonactions. At the same time, the avoidance of negative publicity can never serve as a justification for not fully responding to a known or suspected violation of law, regulation, or fiduciary duty.

In this regard, the Freeh Report concluded that the avoidance of the consequences of bad publicity was the most significant, but not the only, cause for the failure to protect child victims and report to authorities.

Lines of authority

A clear understanding should exist between the chief executive officer and the board on matters that require board notification, those that require board approval or ratification, and those that are within the sole discretion of the CEO.

It is especially important to clarify the types of “red flag” events that require immediate notification to board leadership/the full board. It is similarly important to articulate limits on the CEO’s ability to engage organizational advisers in crisis situations, without board approval.

In this regard, the Freeh Report concluded that the board failed in its oversight duties by not having regular reporting procedures or committee structures in place to ensure disclosure to the board of major risks to the university.

The report also concluded that university officials failed to promptly and duly advise the board concerning the underlying allegation and the subsequent grand jury investigation.

Role of the General Counsel

The organization’s general counsel should have a portfolio, staff, budget and hierarchical position that are consistent with the size and sophistication of the organization. The general counsel should have a dual reporting relationship, both to senior management and to the board.

In this regard, the Freeh Report made a series of recommendations intended to complete the development of the university’s Office of General Counsel that had begun in 2010 with the creation of the office. Before that, the university outsourced its work to a law firm in Centre County, Pa.

Regardless of its possible limitations, the Freeh Report placed a harsh public spotlight on the effectiveness of board oversight controls. Because no matter the mission or purpose of an organization, it is possible to suddenly find itself faced with a crisis of potentially similar proportion. The ultimate concern is whether existing oversight controls work to put the board in a position to identify and evaluate major risks.

This goes not only to the risk of enforcement, but also to the more fundamental risk of a legal violation. Freeh’s conclusions were essentially that the board failed its oversight duties both “coming and going”; i.e. by failing to have a system in place that would have ensured disclosure to it of major risks and, once they (allegedly, belatedly) became aware of those risks, by failing to take appropriate action in response.

The Freeh Report seemed to suggest that the board’s conduct was inconsistent with the Caremark standard for board compliance oversight—a noteable observation given the relative paucity of case law addressing actual Caremark breaches.

Corporate counsel can play a valuable role in leading the board and management through a self-evaluation of internal board reporting systems. Is there a clear understanding of the types of risks that management must disclose to the board? Would the reporting systems work effectively when powerful people or important programs come under suspicion? Would the board be notified in a timely manner?

Is management devoting sufficient time to briefing the board on risk evaluation? Would board members be positioned to properly evaluate the warning signs? Would they make the tough decisions and push for resolution, regardless of the consequences?

Those are the questions that all corporate boards should be contemplating in the wake of the Spanier indictment and its relationship to the Freeh Report.

Corporate counsel may also wish to confer directly with the board to confirm the types or categories of critical developments for which immediate notice is required from management. Such list should not be event-specific, as the focus should be on the significance of the development as opposed to the nature of the development. Clearly, however, the commencement of a governmental investigation or grand jury proceeding involving the organization or an employee thereof would be included within the list.

The Graham Spanier indictment, and the litigation to follow, assures that the alleged actions of former Penn State leadership in the Sandusky scandal will remain in the headlines for quite some time.

Corporate governing boards and their counsel should recognize the “teachable moment” this continuing controversy provides in terms of the board’s awareness and appreciation of major risks, and executive leadership’s role in notifying the board of those risks.

Michael W. Peregrine, a partner in the law firm of McDermott Will & Emery, advises corporations, officers, and directors on issues related to corporate governance, fiduciary duties and internal investigations. Peregrine’s views do not necessarily reflect the views of McDermott Will & Emery or its clients. This article first appeared in Corporate Counsel, a Daily Report affiliate.  major risks.