Organisational risks: why should ethics feature prominently?

The majority of organisations in the modern era understand the importance of risk management and hence make some effort to manage it. The obvious dimensions of organisational risk are financial, legal, operational, information technology, human resources, and marketing risks. These are usually acknowledged and frequently managed in a structured manner.

Often overlooked, however, is the dimension of ethics risk. It does not require complex reasoning to understand that ethics and ethical consequences are an integral part of each of the mostly well-attended-to and obvious organisational risk dimensions. Neglecting the ethically related fallout of financial, legal, operational, and other similar risk dimensions could occur at an organisations’ peril, however, perceiving ethics risks as an incidental component of other risks will not suffice though.

Furthermore, a perusal of what is accounted for in organisations’ risk registers, reveals an omission or undervaluation of ethics risk. There is no doubt that negation of the importance of ethics risk could possibly cause more reputational harm than the mismanagement of other risk dimensions, should ethics not be attended to and managed in a concerted way.

It is unfortunately not so glaringly obvious that ethics risk should indeed be a separate risk management dimension in its own right. Possible reasons why ethics is often not an integral component of organisational risk management efforts may be that organisations either view ethics as a soft issue that cannot be managed or should they at best acknowledge the fact that it could be managed, they do not know how to go about doing it.

Many organisations make some attempt to design and implement ethics management interventions based on Principle 2 of the King IV™ Report on Corporate Governance, which states: “the governing body should govern the ethics of the organisation in a way that supports the establishment of an ethical culture.” The King IV™ Code further recommends that organisations’ governing bodies should address any key ethics risks that the organisation may face. The way that these principles are adhered to often lacks planning and implementation.

Ethics management, and consequently, ethics risk management require a specialised approach. Since many organisations do not have the wherewithal to manage ethics risk, a seemingly reactive and actionable way is to opt for providing ethics training to many, if not all of their employees. Such training efforts will thus be based on generic or specific approaches to ethical challenges. This approach is neither based on best practice nor an appropriate ethics management framework for the organisation and could thus be counteractive. Employees are trained without anybody in the organisation knowing where ethics fit into the bigger picture or how they need to appropriately act ethically.

Another reactive intervention that is often viewed as a magic cure for an organisation’s ethical ills is whistleblowing. Encouraging employees to blow the whistle would therefore, frequently as a singular intervention, constitute ethics management. Such interventions are implemented based on the assumption that this mitigation approach is sufficient.

It is crucial that organisations start to realize that a comprehensive and proper ethics risk assessment is the foundation of any ethics management framework and subsequent ethics management interventions. Should organisations not know how to identify the ethics risks to be addressed, how could they manage these? Assessing ethics risks in an organisation places ethics firmly on the agenda and is the first step to making ethics part of the organisation’s voice. Ethics risk assessments’ results, when viewed holistically, informs the organisation’s ethics profile. The profile can thereafter form the baseline of an ethics management strategy.

Based on the information obtained by the results of the ethics risk assessment, an appropriate 3 – 5-year ethics management strategy could be formulated. Such a strategy contains guidelines on the enhancement of ethical leadership, ethics awareness and training, building sustainable ethical cultures, and other appropriate ethics management interventions, the intent of which is to ‘make ethics real’ in the organisation. Another focus area of the strategy may be aimed at the formulation of new, or amendment of existing codes of ethics or conduct. Such guidelines will thus be formulated based on fact rather than intuition.

In the final analysis, an ethics management strategy also informs the contents of ethics risks that need to be accounted for in the organisation’s overall risk register. A well-formulated ethics management strategy prevents ethics management from becoming just another compliance and tick box-based exercise.

Eventually, reporting on this entire process to the ethics committee of the governing body becomes a matter of substance and not supposition.

It should not be assumed that the assessment and management of ethics risks are only focused on the negative, in other words on that which is wrong or that can potentially be wrong. Many organisations already implement authentic and sound initiatives to enhance their ethical culture and ultimately their ethical reputation. These positives should be viewed as opportunities that should also be assessed and thereafter capitalized on.

Leading practice in conducting effective ethics risk assessments is to engage with all appropriate internal, and where applicable, external stakeholders to establish their perceptions of the ethics risks and opportunities faced by the organisation. This implies an assessment programme where both qualitative and quantitative data should be obtained. Only then can the results be regarded as legitimate and evidence-based. Dimensions that should be assessed and included in any ethics risk assessment initiative should, at a minimum, provide information on the ethical culture maturity of the organisation and the ethics behaviour risks that may be present.

All stakeholders who are directly or indirectly involved and affected by ethics risk assessments need to know that it is a survey with qualitative and quantitative components. It is not a forensic investigation, an ethics audit, a witch hunt to get ‘rid’ of certain employees, or an attempt to ‘catch out’ those who commit ethical wrongdoing.

The credibility of an ethics risk assessment project is dependent on several key success factors. These are:

  • An appropriation of the belief that ethics is not a soft issue but indeed as concrete as other dimensions considered as material risks. Ethical reputation is equally important to trust-based financial performance and legal compliance. 
  • A clear understanding of why an ethics risk assessment should be conducted. 
  • Ensuring the perceived legitimacy and objectivity of any ethics risk assessment. It is recommended that organisations utilise external expertise to assist them in the assessment of ethics risks and opportunities as well as the data analysis and interpretation that follows such assessments.
  • Proper orientation of the entire organisation including employees on all levels and the unions they might belong to is imperative to ensure buy-in and trust in the ethics risk assessment process.
  • Ensuring that the ethics risk assessment is followed by the development of an ethics management strategy that can be practically implemented and is indeed seen through and applied in a structured and concerted manner.
  • Objective and truthful feedback to all stakeholders, including the governing body, all employees, and external stakeholders, where appropriate, is non-negotiable to ensure that it has any impact on the ethical performance and ethical culture that is a key component.
  • Ensuring that ethics risk assessments are conducted in an ethical manner and not merely forced upon stakeholders.

Lastly, organisations that complain about ethics management being ‘too expensive’ should ask the question as to what the costs of unethical behaviour could be. It is never too expensive to manage ethics. Not only as an organisational risk dimension in its own right but also as an indispensable ethics management intervention.


About the Authors: Prof Leon van Vuuren is an Executive Director and Lizette Hattingh is a Senior Associate at The Ethics Institute.