Many people believe that excessive risk taking at large financial firms was an important cause of the financial crisis of 2007-2008 and that preventing another crisis requires improving risk-management systems at such institutions. One way to do this would be to use board oversight liability to hold directors personally liable for failing to properly monitor the risks that their firms are running. The purpose of this Article is to determine what role director oversight liability can efficiently play in improving risk-management practices at large financial firms. A key contention of this Article is that previous treatments of this problem have largely failed to appreciate what risk managers at large financial firms actually do, and so the Article begins by explaining some of the financial models that risk managers typically use to measure the market risk and credit risk on portfolios of assets. A realistic appreciation of these models shows that the measurements of risk that they yield must necessarily incorporate paradigmatic business judgments, most importantly because these models aim to predict future results on the basis of historical data. In other words, the predictive ability of the models is founded on the business judgment that the future will resemble the past in relevant respects. Risk-management decisions are therefore always business decisions. With this conclusion firmly established, the Article reviews the principles of director oversight liability, the most relevant in this context being that oversight liability requires a showing that the directors were consciously disregarding their duties. This scienter-based standard practically guarantees that oversight claims based on alleged failures to detect and prevent weaknesses in the firm's risk-management systems will fail, as in fact happened in the Citigroup case, the most important oversight case predicated on alleged risk-management failures thus far litigated. The result in Citigroup has been subjected to much academic criticism. This Article considers these criticisms and argues that, in light of the actual nature of risk management and the financial models used therein, these criticisms are generally misguided. The result in Citigroup has also prompted proposals for expanding oversight liability in ways that would allow courts to review substantive risk-management decisions by corporate boards. The Article argues that such proposals are meritless for two reasons. First, because risk-management decisions are always business decisions, and because any business decision leading to losses for the company can be characterized as a risk-management failure, allowing courts to review risk-management decisions in oversight liability cases would, in effect, repeal the business judgment rule. Second, although such proposed expansions of oversight liability are aimed at limiting the excessive risk taking that supposedly contributed to the financial crisis, risk taking can be excessive in several distinct ways, and the sense in which excessive risk taking represents a genuine failure of risk-management systems (namely, risk taking in excess of the risk tolerance of the firm as set by the board) is not the sense in which excessive risk taking may have been a cause of the financial crisis (namely, socially inefficient risk taking or excessive systemic risk). Hence, even if expanding oversight liability for risk-management failures did not otherwise involve the tremendous inefficiency of effectively repealing the business judgment rule, such an expansion would still not be well calculated to address the perceived problem of excessive risk taking as a cause of the financial crisis. This Article concludes that director oversight liability has little or no role to play in improving risk-management practices at major financial firms.
