Risk Management and the Board of Directors

Summary

This memorandum — authored by Martin Lipton and colleagues at Wachtell, Lipton, Rosen & Katz — sets out why boards must treat risk oversight as a core governance duty. It explains that boards should not manage day-to-day risks but must actively monitor principal and emerging risks, document oversight, and ensure management integrates risk into strategy. The paper reviews legal drivers (notably Delaware Caremark jurisprudence), SEC and NYSE disclosure and committee rules, Dodd-Frank requirements for large banking firms, DOJ expectations for effective compliance programmes, and intense investor and proxy-adviser scrutiny. It finishes with practical recommendations for board processes, committee structures, documentation, director training, and specific guidance on ESG, cybersecurity and data-privacy oversight.

Key Points

Boards have an oversight role — not a management role — but must be actively engaged and document that engagement.
Delaware law (Caremark and later cases) raises the bar: sustained or systematic oversight failures can expose directors to liability unless they can show good-faith monitoring systems and records.
SEC rules and comment letters now demand clearer disclosures on board risk oversight, climate and cybersecurity risks, and insider trading policies (Rule 10b5‑1).
NYSE rules expect the audit committee to discuss risk-assessment policies; Dodd-Frank requires separate risk committees for large bank holding companies with specified expertise.
DOJ guidance and its 2025 revised Corporate Enforcement Policy prioritise genuinely effective compliance programmes; boards should ask the same probing questions prosecutors will.
Institutional investors and proxy advisers (ISS, Glass Lewis) increasingly hold directors accountable for material failures in risk oversight, including ESG and product-safety lapses.
Boards should adopt fit-for-purpose risk systems: identify material risks, transmit information to the board, integrate risk into strategy, review effectiveness regularly, and document actions.
ESG oversight requires boards to identify material sustainability risks, integrate them into risk processes and disclosures, and be mindful of polarised public debate when framing external communications.
Cybersecurity and data-privacy are high-priority risks: boards should ensure senior cybersecurity leadership, incident response planning, vendor controls, and timely disclosure consistent with SEC rules and NIST frameworks.
Practical steps include annual formal reviews, targeted director training, assessing board skill gaps, and reassigning committee responsibilities where appropriate.

Why should I read this?

Look — if you sit on a board, advise one or have accountability for governance, this memo is a short, no-nonsense primer on where the legal and regulatory heat is. It tells you what courts, regulators and big investors are looking for, and gives concrete actions to avoid nasty surprises. Read it so you can sleep a bit easier (or at least know what questions to ask management tomorrow).

Author style

Punchy. This is a practical, high-stakes briefing: directors and general counsel should treat the recommendations as urgent. The legal landscape and investor expectations have shifted — documentation, active oversight and demonstrable compliance programmes are now essential protections.

Context and relevance

The guidance is timely: heightened geopolitical instability, climate events, cyber incidents and rapid tech change (including generative AI) mean boards face a denser, faster-moving risk environment. Recent Delaware decisions and stricter disclosure and enforcement activity make robust oversight and written records central to director risk defence strategies. For sectors exposed to ESG, cybersecurity or regulated finance, the memo is particularly relevant.

Source

Source: https://corpgov.law.harvard.edu/2025/09/25/risk-management-and-the-board-of-directors-10/