As the Corona Virus continues to spread and cause some issues in the world’s supply chain as well as the major equity markets, corporate governance issues are now being thrust into the spotlight. After all, how does the Board of Directors react to a pandemic? What are the rights of shareholders? What corporate governance practices are necessary to help companies address major crisis? To address these issues, it helps to first consider what corporate governance really entails. Hence a little summary on Corporate Governance and what In-House Counsel should consider.
1. When in-house counsel is briefing the Board of Directors, the briefing should at least cover the following:

• The structure of the corporation
• Basic Organizational Documents
• The role of the shareholders
• The annual meeting of the shareholders
• Liability of shareholders, if any
• The role of the Board of Directors
• Board Meetings
• Board Committees

2. What are the basic organizational documents

• In the US, the organizational structure and roles and duties of the shareholders, directors and officers are determined by the laws of the state in which the corporation is formed and by the basic organizational documents for a corporation. In the US, many corporations are incorporated in the state of Delaware, known for its advanced laws relating to the establishment of corporations.
• One of the documents is the Articles of Incorporation (Charter). The charter sets out the fundamental characteristics of the corporation such as its name, nature of business and classes of stock.
• Another document is called the Bylaws. The bylaws determine the specific procedures for governing the corporation, including:
- Procedures for shareholder and board meetings
- The size of the board
- The officers that the corporation may elect or appoint

3. The Role of the Shareholders

• The shareholders elect the directors
• The shareholders approve certain matters including:
- Authorization of additional shares of stock
- Mergers and acquisitions involving the corporation
- Sale of the corporation’s businesses or substantially all of its assets.
- Dissolution of the corporation
- Change of the corporation’s name
- Amendment of the Bylaws
- Management and operation of the corporation’s business are not included within the legal scope of the shareholder activity
- An annual meeting of the shareholders is required at which the shareholders elect or re-elect the directors

4. Liabilities of Shareholders

• Under US laws, a corporation is a distinct entity, a separate form and independent of its shareholders. A parent company (as a shareholder) as a rule is not liable for the debts, judgements and other liabilities of its subsidiary.
• Shareholders in SU are not usually liable for the debts and liabilities of the company.
• However, the shareholder, may become liable for liabilities for the company if corporate formalities are not followed.
• It is therefore essential that formalities of the corporate existence separate from shareholders be adhered to.
• Processes need to be developed to prevent the -“Piercing of the Corporate Veil”.
• The theory of “piercing the corporate veil” is not a test but a judgment as to which circumstances warrant a departure from the general rule of limited liability.
• Sound corporate practices requires consideration of the various factors that are used in determining whether to pierce the corporate veil.
• Elements of “Piercing the Corporate Veil” include:
-control by the shareholder (often a parent company) to such a degree that the subsidiary has become its mere instrumentality
-fraud or wrong by the parent or shareholder through its subsidiary
-unjust loss or injury to a third party claimant (such as insolvency of the subsidiary)

5. The Role of the Board of Directors

• The board of directors is accountable to the shareholders
• The board must ensure that effective systems of control are in place for safeguarding the corporation’s assets
• The board of directors may legally act only as a body and function in accordance with the Bylaws
• Directors are not responsible for running the business on a day-to day basis
• If a director is an officer, he or she executes documents in the capacity of the office held
• States confer broad powers upon board members and imposes corresponding duties and obligations
• To protect the board’s managerial power, Courts employ the business judgment rule
• The business judgement rule protects directors from liability as long as the directors acted :
- On an informed basis
- In good faith
- In the honest belief that the action taken was in the best interests of the corporation

• The specific responsibilities of the Board includes:
- Strategy
- Planning
- Control
• Duties owed by the Board of Directors to the shareholders and corporation include:
- The duties of care, loyalty and disclosure
- The duty of care focuses on the processes and methods by which the Board reaches decisions
- Standard for a breach of the duty is gross negligence

• Informed judgement requires a director to be :
-Fully informed on matters before the board
-Fully informed of all material information available to the board
-Fully informed of the terms, conditions and consequences of the transaction
- Discussion by the board should be frank, deliberate and open

• The board must represent the interests of the company and shareholders and proceed with a critical eye
• The board must independently assess matters before the board
• Each board member must act in a deliberate and knowledgeable manner
• The duty of due care means each board member must act in good faith
• Decisions must be rational
• As a general matter, each board member owes undivided allegiance to the corporation

6. Board Meetings

• The board of directors should meet as often as necessary
• The bylaws set the minimum number of directors
•
• A director cannot delegate his or her vote by proxy to another director
• Board meetings are governed by formalities
• Decisions are reflected in resolutions
• Minutes of board meetings:
- Should not recite details of the discussions during the meetings
- The minutes should be limited to recording the normal decisions of the board and key information essential to decisions.
- The board is permitted to adapt actions in writing without a meetings and without the requirement of notice using a “Unanimous Written Consent”

Of all the risks facing companies in today’s business world, reputational risk is one of the most serious. Reputational risk can not only damage a company’s brand, but can even lead to the demise of the company. It is of primary importance to executives, in-house counsel and risk managers in many multinational companies and is seen as one of the top risks a company may face. In fact, in Aon’s recent Global Risk Management Survey, it is one of the top ten risks that are of concern to companies. Deloitte surveyed companies as well and found out that the majority of companies it surveyed rated reputational risk as more important than strategic risk. Many of those surveyed acknowledged they had suffered a brand risk or reputational risk event that resulted in a loss of brand value or a loss of earnings.

Damages caused by reputational or brand risk events are not tied to just domestic related issues. Approximately half of the executives that Kroll polled for its recent Global Fraud Report opined that their companies are at risk of vendor, supplier, or procurement fraud tied to overseas expansion. Many of those surveyed felt their companies were highly or moderately vulnerable to corruption and bribery risks which can of course lead to reputational risk or loss of brand as well as FCPA investigations and fines. According to the respondents in the Kroll Global Fraud Report, ethics and integrity (or lack thereof) was the major cause of reputational risk.

The reputational risk caused by supply chain issues can escalate out of control unless properly managed. Loss of brand value can happen quickly if a fraudulent event becomes public or if a bribery scandal is publicized in the media. Just look at the some of the crisis that happened over the last decade. Many people have been affected (some have died) because of the crises or mega-crises that have happened. Many of them also included reputational risks as well. Examples include:

The financial and housing collapse and major recession of 2008

Toyota implicated in recalls because of brake issues

Major Banks having their credit card customers’ names stolen by computer hackers

Volkswagen was implicated in a pollution emissions scandal

Target’s customers had personal data stolen due to lax security systems. Over 40 million
Credit and debit card customers effected

Sony Pictures- Sony as well as its employees had confidential information stolen

It is undisputable that a major crisis can pose serious threats to a company, and, therefore, the crisis must be managed. Crises can result in (a) government fines, (b) loss of retailer confidence, (c) loss of investor confidence, (d) loss of employee confidence, and (e) massive litigation, including class actions. In other words, the end of the company! Crises also result in reputational risks or damage to the company’s brand which may have a greater effect on the company’s bottom line than the damage caused by the original crisis itself.

When considering brand risk issues during a crisis ask the following questions:
• Is there a Crisis Management Plan in place to handle brand risk once a crisis starts?
• Does the Company have an effective internal investigation process in place that may shorten the time taken to discover internal risks and mitigate reputational harm?
• Has the appropriate decision makers been trained to handle PR and media issues once a crisis has occurred?
• Does the Company have appropriate 3rd party consultants, including risk management companies and media crisis companies in place to help mitigate reputational/brand risk once a crisis event takes place?
• Does the Company have an appropriate international Crisis Management Plan in place in case the crisis is international in scope?

Companies must realize that there are many risks associated with doing business internationally as well as domestically. Brand or reputational risk is very serious and can lead to the loss of money or even the destruction of a company unless the right steps to mitigate or prevent brand risk are in place. So when considering what risks should be addressed on a regular basis, remember reputational risk should be of primary importance.

The recent outbreak of the Corona Virus is a perfect example of how risk, whether biological in nature, man-made, environmental or regulatory, can rapidly change a company’s business plan or effect the current global business outlook. As the virus continues to spread, business plans are being impacted, especially the business plans of companies in the travel, tourism and convention industries. This should give everyone pause and perhaps encourage everyone to reflect on the current risk management processes they have in place including employee safety related processes. Perhaps it is time to change the processes. Or at least re-examine them.

When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after the financial meltdown of 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?

I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model actually is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future. Do the processes really mitigate risk or not?

I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Does the safety program really work? Maybe the plans worked properly 5 years ago. But what about today?

Remember, if local or national laws have changed maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? What about the regulatory environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them?

It is a fundamental truth that all things change. Some change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary.

Like some of its neighbors in Asia, South Korea has taken data protection very seriously and has implemented a general data protection law- the Personal Information Protection Act or “PIPA”. It first amended the PIPA in 2016 by adding additional regulations and requirements. Unlike some of its neighbors however, South Korea has also enacted other laws over the last 2 years that place strict requirements on data privacy in other sectors such as IT Networks, credit card information, cloud computing and online advertising. Recently, additional major amendments to PIPA were passed by the National Assembly of Korea because of Big Data /AI /IoT concerns.

The amendments to the PIPA that have been adopted include: (i) clarification of the definition of “personal information,” (ii) the introduction of pseudonymized information and the permitted use of pseudonymized information for research and statistical purposes without the data subject’s consent, (iii) the introduction of compatibility, (iv) the transfer of the Network Act’s personal information-related provisions to the PIPA and (v) elevation of the Personal Information Protection Commission’s (“PIPC’s”) status to a central administrative agency responsible for the enforcement of the PIPA. A short summary follows:

1. Key Provisions of the Amended PIPA

(1) Clarification of the definition of “personal information”

As is the case under the current PIPA, the definition of “personal information” under the amended PIPA continues to include “information that can be easily combined with any other information to identify a specific individual.” The amended PIPA provides clearer direction on what this means, by stipulating the criteria for determining whether certain information can be “easily combined with any other information to identify a specific individual.

(2) Introduction of “pseudonymized information”

The amended PIPA introduces the concept of “pseudonymized information,” which means “information which, through the process of pseudonymization, may no longer be used to identify a specific individual without using or combining additional information to restore the information to its original state.”
The amendment stipulates the principles governing the pseudonymization methods in the PIPA itself, rather than delegating the authority to the President to determine such methods in the Presidential Decree. Therefore, data handlers are advised to continue monitoring the position of the pertinent regulators, including any guidelines to be issued by them, and see how the principles stipulated in the amended PIPA are applied in practice going forward.

(3) Use of personal information within the scope reasonably related to the original purpose of the collection

The amended PIPA allows data handlers to use or provide personal information within the scope reasonably related to the original purpose of the collection without the consent of the data subject. The amended PIPA has relaxed the existing consent-oriented regulations which have been subject to continued criticism for being excessively formalistic and stringent, and adopted the purpose limitation principle of the GDPR, which allows the use of personal information for purposes that are not incompatible with the purpose of initial collection.

(4) Exclusion of anonymized information from the application of the PIPA.

The amended PIPA explicitly provides that any information which cannot be used to identify a specific individual even if the information is combined with any other information, after reasonably considering factors such as time, cost, technology (“Anonymized Information”), is not subject to the provisions of the PIPA.

(5) Transfer of the Network Act’s personal information-related provisions to the PIPA.

The amended PIPA includes a new chapter on the “Special Provisions for the Processing of Personal Information by Information and Communications Service Providers and Recipients of Personal Information (collectively, the “ICSPs”)” (“Special Provisions”), which basically consists of the Network Act’s provisions relating to personal information protection that are not in harmony with those set forth in the PIPA.
.
(6) Consent no longer required for an ICSP’s outsourcing of data processing to a third party.

Under Article 25 of the current Network Act, an ICSP who wishes to outsource the processing of personal information to a third party (“Outsourcing”) is obligated, in principle, to obtain the data subject’s (i.e., user’s) consent. However, this provision was not transferred to the amended PIPA as part of the Special Provisions, and thus the PIPA’s provisions on Outsourcing will now apply to an ICSP who wishes to engage in Outsourcing. Under the current PIPA, the data subject’s consent is not required for Outsourcing.

The new amendments to PIPA are meaningful in that they help provide clearer guidance to data handlers on what constitutes the lawful processing of personal information as well as setting forth standards for the secure processing of personal information. It is expected that the amended PIPA is expected to go into effect 6 months from its promulgation date, and the amendment of the PIPA’s implementing regulations shall take place in the upcoming months.

Like directors in the US and elsewhere, directors in Korean companies have fiduciary related duties to protect and safe-guard the Company and the Company’s assets. Such duties are set forth in the Korean Commercial Code and include:

• Duty of Care as a prudent manager
• Duty of Confidentiality
• Fiduciary Duty-the Duty of Loyalty

In Korea, if a director violates the duty of care as a good manager (including the duty to faithfully perform in the Company’s best interest) he or she may be held liable to the company or even to third parties and could be required to pay damages. Under Article 382-3 of the Korean Commercial Code a director’s duty of care and good faith encompasses a number of duties including the:

• Duty to review the company’s activities
• Duty to review corporate information and documents
• Duty to protect a company’s assets
• Duty to supervise and oversee employees
• Duty to review all major filings with regulatory agencies

A director may even be subject to criminally liability as well as civil liability upon the negligent failure of fulfilling the obligation of care. Directors who violate the provisions of the Korean Commercial Code or the Company’s articles of incorporation may be held jointly and severally liable to the Company. This is true especially when the director’s actions are intentional, or are committed with gross negligence. Such liability may be found when the director fails to fulfill the duty of care and loyalty by:

• The intentional neglect or negligence in performing duties
• The failure to manage affairs as “an ordinary prudent person”
• Endangering company assets through gross negligence
• Engaging in a business that conflicts or competes with the Company
• Using a business opportunity that could benefit the Company for one’s own personal account or the account of a third party

Looking at the civil and common law aspects of the duty of care (Korean courts are trending towards the business judgment rule of the US) the following is true of directors in Korea today:

1. Directors must use reasonable care in protecting the Company’s assets
2. Directors must use reasonable care in providing a safe work place and work environment
3. Directors must use reasonable care when overseeing the Company’s activities

Remember, though serving as a director on the Board of a Korean company may sound exciting it comes with risk. There are restrictions as to what a director can or cannot do and if a director violates his or her fiduciary duty or duty of care, he or she is subject to legal action and even criminal liability.

I am always asked by my younger colleagues how General Counsel or GCs pick law firms when deciding which law firms to use. Most GCs actually pick lawyers, not just law firms, when retaining outside counsel, but it is important that the law firm is also a firm the GC likes and respects. If the GC likes and respects the firm, the odds are that the law firm is the firm the General Counsel most likely will pick to handle a major problem or case.

Most GCs have over the years developed processes to select and use outside counsel on a consistent basis with a focus on quality, reasonable fees, and, of course, success. Such success is normally the result of a long-term relationship in which outside counsel becomes a member of the company’s “team,” learns the business, and can, therefore, provide timely legal and business advice. A General Counsel knows that it is vital to have a go to law firm that can handle major legal issues in an effective and efficient manner. So the General Counsel is always looking for the lawyer and the firm that can deliver for the company- i.e. add value. There are many firms vying for the GC’s business, but only a few that can really deliver for the GC.

In essence, more and more General Counsel are only looking for law firms that can add value and either help the in house law department add value or add value to the company’s bottom line. In today’s ultra- competitive legal marketplace, only the law firms that can add value are thriving. So how can a law firm position itself to add value and become the law firm of choice? Law firms know that when dealing with a company it is essential to meet the General Counsel (if the company has one) and develop a working relationship. But that is not enough. The days of becoming the go to law firm solely based on relationships are over. Having a good working relationship is of course also necessary. But it’s all about value add.

IT IS ALL ABOUT VALUE ADD
Here are 12 steps layers and law firms should take to become the firm that adds value-
1. Know the business! Understand the major issues facing the business? Take time to understand how the company works! One size does not fit all.
2. Develop a relationship with the GC! Go out and meet him or her. Call him or her on the phone. Communicate! Did I say communicate?
3. Meet the Assistant General Counsel as well and/or other senior lawyers on the team.
4. Be responsive- At All Times!
5. 24/7- is the new response time. Remember weekends are not off limits anymore.
6. Don’t create “busy work”. The GC knows what is important.
7. Work with the GC to fit in with the GC’s outside staffing guidelines
• Work with the GC to meet all billing guidelines
• Be flexible in billing arrangements
• Don’t overcharge or overspend
8. Responsiveness is important! Communicate any and all significant case developments!
9. GC’s love litigation plans and well drafted budgets. Provide them and don’t complain.
• It requires a well drafted pitch proposal to RFPs.
• What are the major issues in the litigation or matter?
• Be willing to follow the GC’s requested billing format (and stick to it).
10. Go the extra mile!! Do whatever it takes!
• Provide free services if requested
• Be willing to travel free of charge or be willing to drop everything for the client
• Always deliver
11. Learn how the organization works!!
• What are its A/R, billing, credit, accounting and procurement processes?
• What are the main business issues involving its manufacturing or services?
12. Don’t take the GC or company for granted – ever!

If a law firm can internalize these 12 steps it is well on its way to become the company’s firm of choice. The GO TO LAW FIRM! Remember, General Counsel for the most part are reasonable but at the end of the day they are looking for the firms that can stand up and deliver- or add value. If the firm is not willing to go the extra mile, it can’t expect the GC to think of it as the “Go to Law Firm”. Oddly enough, not that many law firms are really willing to do so. They may pay lip service to “adding value” but at the end of the day may not deliver as promised. This provides an opening for those firms that are willing to internalize the 12 steps I mentioned above and become the firm of choice.