Alphabet Is Rethinking Board Risk Oversight—Should You As Well?

July 11, 2025 | By Mary Kohler in Bloomberg Law

Life sciences attorney Mary Kohler says boards with standalone risk committees should choose strategic members, build strong partnerships between compliance and committee leaders, and simplify risk assessments.

As a federal judge weighs remedies in Google’s high-profile antitrust case, its parent company, Alphabet Inc., has proposed an unusual settlement in a separate shareholder matter. Rather than offer restitution, it promised sweeping change.

Among other things, Alphabet pledged to invest $500 million in compliance and shift overall risk oversight from its board’s audit committee to a new “risk and compliance committee.” While not a novel idea, dedicated board-level risk committees remain uncommon in practice.

Alphabet is urging other tech companies to follow its lead. This challenge resonates well beyond Silicon Valley. As a former compliance leader at a major biotechnology company, I’ve worked with a standalone risk committee. This type of group can be powerful in the right context.

Board Risk Oversight

To oversee corporate strategy, boards must understand the associated risks. Most US companies assign this role to their audit committees.

But audit committees already shoulder heavy responsibilities, and members with financial expertise may miss risks outside their domain. A weak regulatory function, for example, may not register as an issue until a drug approval is rejected or a consumer product must be recalled.

Following a wave of corporate scandals, Dodd-Frank required certain financial institutions to establish dedicated risk committees. But other industries haven’t followed suit.

Some companies rethink oversight in response to a crisis, as Alphabet now appears to be doing. Medical supply and technology company McKesson Corp. created a compliance committee while facing scrutiny for its role in the opioid epidemic. More recently, biopharmaceutical company Athira Pharma Inc. formed one while settling research misconduct allegations with the Department of Justice and investors.

Companies more commonly establish specialized board committees to oversee risks tied to their business model. A drugmaker might have a scientific committee; a company with significant government contracts might focus on public-sector compliance.

Assessing the Need

Whether to create a standalone risk committee depends on factors such as company size, regulatory exposure, and governance philosophy. A global biopharma company may benefit more than a private apparel brand. Alphabet’s settlement agreement suggests investors want to temper an aggressive competitive culture.

But more isn’t always better. Too many committees can dilute effectiveness, increase overlap, and stretch board members thin.

Most committees deal with risk to some degree, so clear mandates are essential. Alphabet’s board will need to define how the new body interacts with its audit and compensation committees.

In my experience, a standalone risk committee proved valuable as new industry enforcement loomed. Management had been slow to act, but the committee grasped the stakes quickly and helped prioritize a response.

As our compliance function matured, this body became a vital conduit for the board-level engagement that the DOJ expects. Not having to compete with finance for airtime enabled us to offer engaged directors clarity on a broader spectrum of risks.

For tech, the time may be ripe to think more critically about risk. Alphabet’s move comes amid rising concerns about artificial intelligence, automation and social media reshaping society in ways we can’t yet grasp. Meanwhile, Meta is turning privacy compliance reviews over to AI, and pulling back from content moderation.

The judge has questioned whether Alphabet’s proposed shareholder settlement would lead to meaningful change. She asked for more details after Alphabet conceded its financial pledge includes changes the company has already made.

Still, Alphabet’s challenge might take hold. Meta evidently changed its board structure effective June 1, chartering a “risk and strategy committee.”

Risk committees aren’t panaceas, though. Silicon Valley Bank had one—and still failed. To move the needle, committees need attentive, forward-looking directors who aren’t afraid to ask hard questions. Looking past Alphabet’s promises of fundamental governance reform, the judge wants to ensure the company will address the shareholders’ primary complaint — failure to identify red flags.

Before forming a new committee, boards should assess how they pressure-test strategy and operations. The Association of Corporate Counsel recently found that while chief legal officers view enforcement risk as a top concern, they’re participating less in board meetings and strategy sessions. Closing that gap may matter more than any formal structural change.

Making It Work

If your board does move toward a standalone committee, success depends on structure and substance. Consider the following.

Choose members who are strategic, curious, and steeped in the business. They’re best equipped to anticipate pitfalls and guide leadership through tradeoffs. A committee that simply blocks ideas will lose influence quickly.

Build a strong partnership between compliance and the committee chair. The compliance officer ideally acts as co-chair, developing the meeting after aligning with the chair on strategy and focus.

Keep risk assessments simple and focused. Committees must deal with crises, but their aim is to help business leaders prevent them. Identify the highest-risk functions and set a regular review cadence to give the committee a full and continuous view of the landscape.

Teach staff how to engage with the board. Directors usually need less detail but more context than internal stakeholders expect.

Coach executives, too. Many are comfortable presenting results but hesitate to surface early concerns. Dry runs and two-page pre-read memos can help prompt deeper thinking about emerging risks and execution gaps. Without sustained engagement below the board level, even the best designed committee will struggle.

Be judicious about C-suite involvement. Launching compliance involves company-wide change. Executives should make essential risk calls and help shape direction. But they will lose patience with the details of a new program’s structure and operation.

Keep operational teams lean. Early enthusiasm can fade when real work begins. A small group of well-chosen leaders is usually most effective at surfacing risks and championing solutions.

Above all, challenge people to care. Compliance infrastructure matters, but process doesn’t shift culture—leadership does. After facing intense scrutiny, Boeing Co. adopted a blunt new value: “Give a damn!” It’s unorthodox, but when cultural change is the goal, that kind of clarity can go a long way.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Mary Kohler is founder and principal of Kohler Health Law, advising life science companies on the development and commercialization of products.

This article does not create an attorney-client relationship or constitute legal advice.

________________________________

Copyright 2025 Bloomberg Industry Group (800-372-1033). www.bloombergindustry.com. Reproduced with permission.