Among S&P 100 companies
56%
disclose an overview of the ERM process in the risk oversight section, including timeframes for assessing risks
70%
include a section, subsection or callout discussing the board’s role in ESG oversight
75%
depict the distribution of specific risk oversight responsibilities among the Board, Board committees, and management in a matrix, table, graphic or using other visual elements
16%
include a table or graphic highlighting selected areas of oversight (for example, sustainability, cybersecurity)
Board oversight of Artificial Intelligence (AI) is also an emerging trend. See page 9 of this Thought Piece for a Spotlight on AI disclosures.
A review of the Dow 30 and select other 2025 proxy statements shows that several companies have evolved their Risk Oversight disclosures beyond this standard approach. As you begin to think about your 2026 proxy statement, consider whether to adopt any of the following Risk Oversight disclosure enhancements:
- Rethink the traditional committee oversight matrix;
- Show an integrated approach to risk throughout the company; and/or
- Reflect better alignment between risk, strategy and sustainability.
Rethink the Traditional Committee Oversight Matrix
Many companies cite the desire to streamline text and remove duplication in their proxy statements. We recommend taking a look at your Committee descriptions and Risk Oversight disclosures to see how they overlap. Similarly, think about whether key risks are overseen by the Board or a singular committee, or whether there is a more cross-functional approach.
Two companies have moved away from the traditional Committee oversight matrix in their Risk Oversight sections:
JPMorgan (p. 29) has a very short “Risk Management and Internal Framework” disclosure, with its Committees’ role in risk oversight and key oversight responsibilities discussed in “Committees of the Board” on pp. 23-24.
Fortiv (p. 19) organizes its matrix by risk category, cross-functional Board/Committee oversight responsibility, and director expertise.
Show an Integrated Approach to Risk Throughout the Company
The traditional Board/Committee/management oversight graphic often includes only a high-level overview of the role of management in managing risks, with a separate discussion on the ERM process. Two Dow 30 companies take a different approach, incorporating a crisp, easy-to-digest graphic that shows their top-down/bottom-up risk management governance structure.
American Express (p. 20) has a simple graphic that shows the various Board, Committee and management-level committees, plus the key risks overseen.
Boeing (p. 31) takes the bottom-up disclosure a step further by including all Boeing employees and the role of annual training.
Reflect Better Alignment Between Risk, Strategy and Sustainability
Growing anti-ESG backlash and the current political and legal environment have caused companies to rethink whether and how they report on sustainability-related topics in their proxy statements and annual reports on Form 10-K.
We recommend, however, taking a step back from the rhetoric and examining the interrelated nature of sustainability, risk management, strategy and competition, and long-term value creation.
A Harvard Business Review article2 published in late 2024 noted just that, when the authors argued that corporate leaders should (1) solve for sustainability issues that “have the most impact on the bottom line,” and (2) “identify the most material negative impacts your firm is having on society, and invest serious resources to developing practical solutions,” which goes directly to strategy, value creation, and long-term competitiveness.
Similarly, PWC makes a persuasive case for integrating sustainability into a company’s ERM process.3 Among other outcomes, PWC notes that the integration will help companies “align with strategic goals, strengthen resilience, capitalize on new opportunities, and fortify their position in an ever-evolving business environment.”
The examples on the following pages show different approaches to describing the relationship between risk, strategy and sustainability. Travelers goes the furthest in reflecting this alignment, collectively discussing “Oversight of Corporate Strategy, Sustainability and Allocation of Risk Oversight.” Other Dow 30 companies that integrate risk and sustainability, or sustainability and strategy, are Verizon, Lockheed Martin and UnitedHealthGroup.
- “It’s Time to Unbundle ESG” by Aaron “Ronnie” Chatterji and Michael W. Toffel, published September 20, 2024
- “A Holistic Approach to Sustainable Risk Management,” published April 7, 2025
Under a section entitled “Sustainability and Risk Management,” Travelers discusses the relationship between “The Travelers Promise” and shareholder value creation, as well as “Oversight of Corporate Strategy, Sustainability and Allocation of Risk Oversight.”
Verizon identifies Environmental Sustainability and Responsible Business as business risks, giving those matters the same prominence as ERM, and financial risk and capital allocation within its Risk Oversight disclosure.
Lockheed is a perennial favorite in its fulsome and engaging disclosure of the Board’s oversight of risk, strategy and sustainability. Lockheed uses descriptive headings throughout its proxy to inform the reader, including “We integrate sustainability governance through a risk-management lens.”
Following a lengthy “Risk Oversight” section, UnitedHealthGroup discusses its alignment of sustainability priorities with its long-term strategy, and notes that “[s]ustainability serves as our foundation for strategic long-term growth.”
Spotlight on Oversight of AI
Companies increasingly disclose board-level involvement in AI oversight, signaling recognition of AI as a material risk, with 48% of Fortune 100 companies explicitly citing AI as part of the Board oversight of risk, according to EY review Cyber and AI oversight disclosures: what companies shared in 2025.
Disclosures often emphasize frameworks for ethical AI use, compliance with emerging regulations, and integration of AI risk into enterprise risk management. However, the depth of oversight varies: while some companies have included a section dedicated to AI governance, most mention it as one of the risks overseen by Boards.
40% of companies reviewed by EY assigned AI oversight to a specific committee, majority assigned it to the Audit committee, though AI-related disclosures in proxy statements tend to be more precise and comprehensive when the Governance or a Technology committee is tasked with AI oversight.
Equifax p.44 and 45 details the structure of AI Governance in the Responsible Business section. The company includes responsibility from the Board to all employees, and the standards and policies adopted.
Allstate p.40 presents AI as a key risk and describes how AI oversight is integrated in the risk management structure of the company, with ultimate oversight from the whole Board and the Audit Committee regarding controls and risk management aspects.
