Risk Management and the Board of Directors

Summary

This memorandum — authored by Martin Lipton and colleagues at Wachtell, Lipton, Rosen & Katz — outlines why boards must treat risk oversight as a core governance responsibility, distinct from day-to-day risk management. It surveys the legal and regulatory landscape (Delaware fiduciary law, SEC and NYSE rules, Dodd-Frank), enforcement trends (SEC, DOJ, state regulators), investor and proxy-advisor pressures, and international disclosure regimes. The memo emphasises documentation, board engagement, tone at the top, board readiness, and offers specific, actionable recommendations for improving oversight across sustainability (ESG), cybersecurity, data privacy and other mission-critical risk areas.

Key legal touchpoints include Caremark-derived Delaware decisions that allow oversight claims to survive motions to dismiss where boards ignored red flags; tighter SEC disclosure expectations on climate and cyber; NYSE standards around audit-committee discussions of risk; and growing DOJ focus on compliance programmes. Practical guidance draws on COSO, NIST and other widely used frameworks.

Key Points

Boards must oversee — not micromanage — risk management: set strategy, monitor principal risks, and ensure management integrates risk into decision-making.
Delaware case law (Caremark and recent rulings) raises liability risk where boards fail to document oversight or ignore “red flags.”
SEC rules and comment letters require clearer disclosure of board roles in risk oversight, plus specific climate and cybersecurity reporting obligations.
NYSE standards expect audit committees to discuss risk assessment and management; some firms may choose separate risk committees where appropriate.
DOJ guidance links an effective compliance programme to more favourable enforcement outcomes; boards should probe programme design, resourcing and effectiveness.
Investor and proxy-advisor scrutiny on ESG and risk oversight remains strong — poor oversight can lead to adverse votes or campaigns.
Cybersecurity, ransomware and data-privacy incidents are high-probability, high-impact risks; boards should ensure NIST-aligned controls, incident response, and timely disclosure plans.
Boards should document oversight activities, hold regular reviews (quarterly or semiannual), and ensure tailored director training and skills refreshment.

Why should I read this?

Look — if you sit on a board or advise one, this memo is basically the checklist you wish you had before a crisis. It tells you what regulators, courts and big investors are watching, what to document, and the practical steps to avoid being blindsided. Short version: read it now, so you don’t have to explain later.

Context and Relevance

The memo arrives amid intensifying geopolitical, macroeconomic, climate and technological risks (including generative AI). Regulators globally are sharpening disclosure and enforcement on ESG, cyber and governance; courts are more willing to let oversight claims proceed when records are lacking. Institutional investors and proxy advisers continue to push for transparent, demonstrable board oversight. For companies this means risk oversight is no longer a back-office tick-box — it’s central to corporate resilience, reputation and long-term value.

Practical relevance: the guidance ties legal exposure and stakeholder pressure to concrete steps — board-level delegation, documented reporting cadences, crisis plans, compliance resourcing, director training, and consideration of specialised committees or advisors where risks are complex.

Author style

Punchy. The memo reads like a high-stakes briefing: authoritative legal grounding, plain practical steps, and an implicit warning — boards that fail to document and engage meaningfully on risk oversight face real regulatory, litigation and investor consequences. Highly relevant for boards, general counsel, risk officers and senior management.

Source

Source: https://corpgov.law.harvard.edu/2025/09/25/risk-management-and-the-board-of-directors-10/