Wachtell Lipton: Risk Management and the Board of Directors

 

Public companies and their boards of directors face an increasingly complex array of risks that test the resilience of corporate values, strategies, operations, and enterprise risk management frameworks.  Tighter monetary policies, deepening geopolitical tensions, widening domestic political polarization, labor shortages, severe weather events, growing challenges tied to nature and biodiversity loss, and the uncertainties surrounding generative AI are among the varied risks that companies have had to contend with in recent years.

These risks are likely to persist and even intensify—against the backdrop of unpredictable trade and foreign policy, ongoing conflict in Ukraine and the Middle East, and China’s sluggish post-pandemic recovery.  Severe wildfires, heatwaves and flooding across the globe, rising insurance costs, and the exodus of insurers from large pockets of the country underscore the burgeoning financial risks and challenges of climate risks.  Cybersecurity risk continues to increase in scale and scope while the geopolitical rivalry between China and the United States remains unabated.  According to the World Economic Forum’s Global Risks Report 2025, the majority of the business leaders polled anticipate some instability and a moderate risk of global catastrophes, while another 31% expect even more turbulent conditions over the next two years.

All of this underscores the corporate imperative to continually reassess risk profile and exposure, and to adapt policies and processes accordingly.  Managing corporate risk is not just the business and operational responsibility of a company’s management team—it is a governance and strategic issue that is squarely within the oversight responsibility of the board.  Courts and regulators are increasingly scrutinizing board-level risk oversight mechanisms, as well as the adequacy of public disclosures and the quality of board responses when crises erupt.  Recent Caremark decisions from the Delaware Court of Chancery continue to set a very high bar for claims of oversight failure, but have also allowed some claims to proceed beyond the motion to dismiss stage where the allegations show a bad-faith failure to appreciate and oversee core risks to the company’s business.  Pressure from institutional and activist investors, state law-enforcement authorities, and federal administrative agencies also continues to mount.

This guide identifies critical risk-management issues that merit close attention by directors and management, and surveys the sources of risk oversight obligations borne by boards of directors, including Delaware law developments highlighting the importance of active, engaged board risk oversight (and maintaining appropriate records of that oversight), as well as U.S. Securities and Exchange Commission (SEC) and New York Stock Exchange (NYSE) rules, input from investors and proxy advisory firms, and U.S. Department of Justice (DOJ) expectations.  We end with a set of recommendations for improving risk oversight overall, including specific advice for managing sustainability, cybersecurity, data privacy, and other environmental, social, and governance (ESG) risks.  

To continue reading our revised 2025 edition of Risk Management and the Board of Directors, please click here or see the attached memo.