Braving the Perfect Storm: Board Oversight of Risk in 2023

Global geopolitical, macroeconomic, and environmental disruption abounding in 2023 tests boards’ leadership, particularly in terms of monitoring corporate responses to new stresses and demands. While managing risk on a day-to-day basis falls to corporate management, boards remain responsible for overseeing those efforts and cannot afford to passively exercise their duties in an increasingly interconnected, digital-driven world.

After highlighting stakeholder views on risk oversight and exploring the continuing rise of environmental, social, and governance (ESG) imperatives, this article discusses ways boards can effectively position themselves to address risks to corporate strategies prevailing in 2023. A perfect storm of challenging practical conditions, more rulemaking, enforcement activity, and litigation only underscores boards’ need to review their oversight of risk management in the new year.

Evolving Stakeholder Expectations

Governments, investors, and other corporate stakeholders have come to expect more from boards, both in terms of approach to risk oversight and the scope of risks under their purview. Delaware courts, which play a key role in shaping legal jurisprudence as to board governance, have appeared increasingly receptive to allegations of failures of board oversight (so-called Caremark claims, which get their name from a seminal case finding a “sustained or systematic failure of the board to exercise oversight”).

New and proposed US Securities and Exchange Commission (SEC) rules related to climate change, cybersecurity, and human capital are prompting further detailed disclosure of material risks and related oversight mechanisms. These new disclosures are coupled with increased SEC inquiries and enforcement activity as to ESG matters.

In addition to the SEC, the US Department of Justice (DOJ) has published increasingly robust guidelines for sentencing corporate misbehavior that require companies to create a risk oversight program and properly maintain it. Institutional investors and proxy advisors are issuing ever-stronger policy statements regarding boards, which increasingly revolve around ESG issues. To meet these expectations, boards are best served by ensuring that management is proactively identifying relevant risks and verifying that proper infrastructure is in place for effective reporting by corporate executives and their teams.

Mission-Critical Risk

To optimize the use of finite corporate resources in the face of ubiquitous risk, prioritization is key. Since the Delaware Supreme Court’s 2019 Marchand v. Barnhill (known as Blue Bell) decision, allegations that a board did not attend to key risks have increased, even where companies had published corporate policies regarding risks.

In Marchand, the Delaware Supreme Court concluded that a complaint stated a claim for lack of board oversight when an ice cream company did not have board-level reporting on food safety, the “most central safety and legal compliance issue facing the company,” which the court deemed a “mission-critical” risk. As Delaware courts do not expressly define “mission critical,” the nature of a company’s business and growth strategy inform its definition.

Awareness of criteria applied by government agencies and investors to assess risk management is also important to validate that corporate risk and compliance programs meet external standards of measurement. For example, in keeping with the DOJ’s guidance, boards may find it useful to verify that compliance programs are designed by people with relevant expertise and include written policies that are then implemented in part by training.

It may be appropriate to engage counsel or consultants with appropriate expertise to assist in the establishment, and the periodic review of, the company’s risk programs and in identifying, understanding, and managing business-specific risks in a timely manner.

Structuring Risk Oversight

Corporate boards have the flexibility to design the most appropriate structure for the company to fulfill their oversight duties, save those bank holding companies and other financial institutions required by the Dodd-Frank Act to maintain a standing risk committee. While some boards allocate risk oversight to the full board, others delegate certain categories of risk to specific committees or, as a growing practice, a standalone risk committee.

There is no single, universal right approach, but boards are best served by assigning responsibility in a way that most enables them to remain reasonably informed about—and capable of evaluating management reporting of—the company’s major risks and the processes management uses to identify, monitor, and manage those risks.

For example, when it comes to cyber risk, boards may find it most effective to have an audit committee member versed in cybersecurity issues to regularly consult with the company’s chief information officer and focus on these matters in connection with internal audits. A compensation committee is often well tooled to bear responsibility for management succession planning. Delegation to the most logical board committee or a risk committee (versus the full board) may permit a board to best hone in on topics critical to business resilience.

In addition to establishing appropriate governance structures, effective oversight requires that mechanisms be in place for reporting risk identification, monitoring, and mitigation efforts. These could include regular updates from management or functional specialists and dashboards that contain material financial items, key performance indicators, and other essential performance metrics, including ESG topics.

Although developing a dashboard may require an initial investment of time and resources, doing so creates a more efficient, consistent, and transparent risk oversight process. Regular review of the company’s legal compliance programs and their effectiveness relating to detecting wrongdoing through legal department reports following a clear outline defined in advance would also bolster oversight efforts.

Documenting Board Oversight

Documenting the board’s activities is a critical component of demonstrating management’s efforts to monitor relevant risks and board review of these efforts.

To preemptively address doubts, periodic meeting agendas should expressly include topics such as insurance, cybersecurity, workforce trends, corporate sustainability, and other mission-critical risks particular to the company.

An absence of adequately, concurrently created records of risk reporting and board engagement to oversee this could be interpreted as a failure to consider risk management and exercise proper oversight. The most well-kept board or board committee minutes reflect management’s presentation of mission-critical topics and any actions taken at the direction of the board. As one former Delaware Court of Chancery vice chancellor has indicated, thoughtfully prepared minutes can serve as critical evidence of boards taking their responsibilities seriously.

As is the case for governance more generally, well-prepared documentation can also avoid the time-consuming and costly process of having to reconstruct a record of robust engagement and fulfilment of duties. With shareholders increasingly gaining access to corporate records through Delaware General Corporation Law Section 220 (“books and records”) demands, which form the basis of claims of fiduciary duty failures, it is increasingly important for companies to properly document their efforts.

As part of this reporting and oversight process, board awareness and review of corporate messaging in any corporate sustainability reports or SEC disclosures reflecting the new and expanded disclosures required under new and proposed SEC rules furthers execution of board oversight duties.

Failure to establish and maintain effective risk oversight creates corporate vulnerability and engenders scrutiny by governmental entities and investor, employee, and partner dissatisfaction. As we experience rapid macroeconomic change, technological transformation, and heightened geopolitical disruption at the outset of 2023, evaluating the sufficiency of the corporate approach to risk oversight is a priority.

With these risks and natural disaster exposure gaining importance in corporate strategic planning, preserving and growing corporate resilience and value is best served by promptly revisiting frameworks used to oversee risk management. In this new year, a board assessment of the infrastructure used to identify, monitor, and mitigate mission-critical risk, and thoughtful documentation of these oversight efforts, will help companies and their boards better brace themselves for any storms 2023 presents.