Professional Documents
Culture Documents
Risks and Ethics
Risks and Ethics
TABLE OF CONTENTS
ICEBREAKER: FRIENDS INDEED...................................................................................................................... 4
ACTIVITIES............................................................................................................................................................5
Sample Worksheet: Hazards........................................................................................................................5
Quick Reference Sheets...............................................................................................................................6
Certificate of Completion.............................................................................................................................7
WHAT IS A HAZARD?.............................................................................................................................................8
What Is a Risk?.............................................................................................................................................8
Consult with Employees...............................................................................................................................9
Likelihood Scale...........................................................................................................................................9
DEFINE RISK MANAGEMENT...................................................................................................................................10
The upside of risk-opportunity management............................................................................................10
The importance and benefits of risk management...................................................................................10
Benefits of risk management.....................................................................................................................11
Risk management framework and standards...........................................................................................12
Risk management roles and responsibilities.............................................................................................12
Risk appetite and risk tolerance................................................................................................................13
Risk appetite..............................................................................................................................................13
Risk management in support of organisational strategy.........................................................................13
Risk detection and assessment..................................................................................................................15
Risk identification is a structured process that.......................................................................................................15
Risk analysis needs to be applied after risk identification......................................................................................15
Risk evaluation is the final step in the risk assessment process..............................................................................16
Ethics risk as an organizations of organisational risk...............................................................................17
CASE STUDY....................................................................................................................................................... 17
DEFINE ETHICS............................................................................................................................................ 18
2|P a g e
Risks and Ethics Learner Guide
Confidentiality........................................................................................................................................... 31
ETHICS AND DECISION-MAKING..............................................................................................................................31
Ethical decision-making framework..........................................................................................................31
ETHICS OF GOVERNANCE.......................................................................................................................................33
ETHICS POLICY.....................................................................................................................................................33
RISK MANAGEMENT PROCESS................................................................................................................................33
Ergonomics risk management process......................................................................................................36
The Ethics Institute (TEI)............................................................................................................................37
Business process selection.........................................................................................................................37
Risk analysis...............................................................................................................................................38
ETHICS AND DECISION-MAKING..............................................................................................................................40
THE RISK ASSESSMENT PROCESS..............................................................................................................................40
FREQUENCY, SCOPE, AND DEPTH OF ETHICS AND RISK ASSESSMENT RISK RATING (MITIGATION PROCESS)..............................42
AN ETHICS MANAGEMENT RESPONSE TO RISK IDENTIFICATION AND RISK RATING...............................................................43
THE ETHICS OF ETHICS RISK ASSESSMENT..................................................................................................................45
HANDOUT SAMPLE AT THE END OF THE LEARNING: WORKSHEET FOR ETHICAL DELIBERATION.............................................46
REFERENCES............................................................................................................................................... 69
3|P a g e
Risks and Ethics Learner Guide
Materials Required
• Name card for each person
• Markers
Preparation
Have participants fill out their name card. Then, ask participants to stand in a circle, shoulder to
shoulder. They should place their name card at their feet. Then they can take a step back. You as
the facilitator should take the place in the centre of the circle.
Activity
Explain that there is one less place than people in the group, as you are in the middle and will be
participating. You will call out a statement that applies to you, and anyone to whom that
statement applies must find another place in the circle.
Examples:
• Friends who have cats at home
• Friends who are wearing blue
• Friends who don’t like ice cream
The odd person out must stand in the centre and make a statement.
The rules:
• You cannot move immediately to your left or right, or back to your place.
• Let’s be adults: no kicking, punching, body-checking, etc.
Play a few rounds until everyone has had a chance to move around.
We have outlined the entire main suggested headings and extract (develop) a few key points for this
presentation.
It is in the same format and contains the same material as the Facilitator Guide, with the difference
that the Facilitator Guide will have practical activates guidance for each new section where possible
to lead the group.
The Training Manual can be easily updated, edited, or customized to add your business name and
company logo or any content suggestion changes required from your side.
4|P a g e
Risks and Ethics Learner Guide
Activities
The methodology will be to provide each participant with a copy of the material where they can
follow along with the facilitator whiles having a highly interactive, case studies, section debrief
questions for group discussion (to link to work environment), role play or interactive game (to learn
from each other real experience) and make their own notes during the debrief time allocated to
keep a reference for workplace transferring of skills attained during the workshop.
During the facilitation of a lesson Worksheet or Handout may be utilized to help present the
material. If a lesson calls for a Worksheet or Handout, it will be listed in the Lesson Plan box under
Materials Required. The trainer can then utilize the Activities folder for the corresponding material
and then provide it to the participants. They are all on separate Word documents and are easily
edited and customized.
Below you will see the Worksheets or Handouts that are utilized during the training of the above
lesson. They are in the Activities folder and can be easily printed and edited for the participants.
5|P a g e
Risks and Ethics Learner Guide
Identifying potential problems requires close inspection of the work area. To do this, you need to look at the
environment carefully. Inspect each area of the facility for hidden risks and hazards that can cause problems. This
requires walking around the entire facility and making note of everything. It is essential to consider every possible use
of an area, all materials used, and each tool.
No matter how prepared you are, problems are not always easy to predict. This is especially true of external events.
You have more control over internal events, but external events are more unpredictable. With external events, you
need to be prepared for every possible problem. These events are, basically, anything around the office that is not
internal.
Every office building requires an emergency action plan. Emergency action plans are implemented in case of an
emergency such as a fire or major machine malfunction. Emergency action plans need to be written and accessible to
employees. In small groups (under 10), the action plan may be communicated to employees verbally.
Each employee must be trained to evacuate and assist other employees. The employer must review the action plan
with employees when they are hired, when there are changes, when employee roles change.
6|P a g e
Certificate of Completion
Every course comes with a Certificate of Completion where the participants can be recognized for completing the course. It provides a record of their
attendance and to be recognized for their participation in the workshop.
Module One: Identifying Hazards and Risks Management
What Is a Hazard?
A hazard is any source of harm. This includes adverse health
effects or loss to the organization or employee. Hazards are
varied. They include materials, substances, and sources of
energy, processes, practices, and conditions.
Examples of hazards:
• Sharp objects
• High temperatures
• Electricity
• Slippery surfaces
• Asbestos
• Chemicals
Once hazards are identified, you can take the opportunity to identify the risks associated with each
hazard in your facility.
What Is a Risk?
A risk is not a hazard. It is the chance of harm coming from a hazard. This
applies to the health, bodily safety, equipment, and property. For example,
prolonged exposure to chemicals in the work environment increases the risk
of health problems. Noise exposure can place an employee’s hearing at risk.
Identifying the hazards in an environment is the first step in risk assessment.
The second step is to determine who is at risk from these hazards. The third
step is to evaluate the risk, and the final step is to determine the best way to
Risks and Ethics Learner Guide
Likelihood Scale
The likelihood scale is used to determine the likelihood that an event will
occur. For example, you would use it to determine the risk of an equipment
malfunction. Each risk needs to be scored on the likelihood scale from 0 to 3.
• 0 – Impossible: There is no possible way that an event can take place. This is rarely used.
• 1 – Low possibility/Remote possibility: There is a slight risk, 2% or less, of something
happening.
• 2 – Medium possibility/Possible: The event is possible. It has between a 2 and 25% chance of
occurring.
• 3 – High possibility/ Probable: There is a greater than 25% chance that something is going to
happen. The event is likely going to occur soon.
Scores should be based on the current data that you have. The reasons for your score should also be
recorded.
9|P a g e
Risks and Ethics Learner Guide
Example:
Risk Score Reasoning
Each company will have different risks and scores. Risks with higher scores need to be addressed
quickly.
Risk management is the process of planning, organizing, directing, and controlling resources and
operations to achieve given objectives, despite the uncertainty of events. Effective risk
management enables an organization to manage the probability of any unforeseen events that may
arise, and to limit the effect of the consequences, along with responding proactively to
opportunities. This means the organization will be better able to carry out its plans – in other words,
achieve its organizational objectives – despite the uncertainty of events occurring in the
environment in which it functions.
10 | P a g e
Risks and Ethics Learner Guide
employees work towards common goals and establishing agreement around outcomes”, which
suggests that organisations use this process to define their vision/mission, set strategic goals
(outcomes), identify strategies to achieve these, and develop tools to measure their achievements.
Internal and external risks may undermine the achievement of an organization’s strategic goals. By
the same token, upside risk may facilitate the achievement of strategic goals.
It has therefore become imperative that organisations adopt a formal risk management process,
whereby risks are pro-actively identified, captured in risk registers, and managed. Furthermore, risk
management and strategic planning need to be integrated into a single co-ordinate and holistic
process.
Tangible benefits of risk-opportunity management include projects and activities delivered on time
and on budget; not adversely affecting stakeholders (including the workforce, the environment and
society), such as through physical and environmental harm; and not exposing the organisation to
financial or other penalties.
11 | P a g e
Risks and Ethics Learner Guide
managing risk are based on information sources, decision-makers are encouraged to familiarize
themselves with valuable information sources, as well as any limitations related to data.
7. Risk management is transparent and inclusive. It therefore encourages organizations to
identify internal and external stakeholders, and to consult stakeholders on key policies and
decisions that require buy-in and support.
8. Risk management is dynamic, iterative, and responsive to change. It continually senses and
responds to change and allows for more effective planning.
9. Risk management facilitates continual improvement of the organization. As organizations
implement strategies to improve their risk maturity, other aspects of the organization also
benefit.
10. Benefits in economy and efficiency can be achieved in the targeting of resources, protection of
assets, and avoidance of costly mistakes.
11. The organization’s reputation is enhanced, as clients are drawn to organizations that are known
to have sound risk management processes.
12. Effective risk management of personal risk (personal wellbeing) generally improves health and
wellbeing of self and others.
12 | P a g e
Risks and Ethics Learner Guide
• identifying those responsible for the risk management process at all levels in the organization
• establishing performance measurement metrics
• establishing external and/or internal reporting and escalation processes
The governing body should specify responsibilities across multiple 'lines of defence' as appropriate
to the organisation. These would generally include the executive leadership team, risk
practitioners (such as a chief/corporate risk officer), management, and the overall workforce.
It is the responsibility of the governing body of the organisation to determine the various levels of
risk appetite. This body should consider the views and requirements of internal and external
stakeholders (e.g., shareholders, regulators, local communities, customers, the organization’s own
workforce, etc.).
The governing body is responsible for establishing the overall risk appetite of the organisation,
within the limits of legal and regulatory requirements. A business unit general manager may be
responsible for establishing the risk appetite of that unit, within the broader constraints imposed
by the overall organisation. Project managers may establish their own project risk appetite, within
the boundaries agreed upon by the project sponsors.
There should be a range of different appetites defined for different risk types – financial or non-
financial – for example, for risks related to the law, finance, operations, ethics, health and safety,
and other domains. Risk appetite is dynamic and fluctuates as various internal and external factors
change.
Risk tolerance
Risk tolerance reflects an organization’s ability, or readiness, to bear a risk after all responses have
been put in place. It is the level of unwanted outcomes that can continually be tolerated. Risk
tolerance may refer to financial (e.g., profit), quasi- financial (e.g., gearing), or non-financial (e.g.,
staff turnover) aspects of risk.
The organization’s risk tolerance, however, should always be higher than its appetite for risk. Where
the appetite exceeds the tolerance, this should be disclosed to the relevant stakeholders.
Public sector organisations should recognise that their risk tolerances should be defined
differently to those of private organisations, particularly as there are legislated service commitments
that must be maintained, irrespective of financial constraints.
13 | P a g e
Risks and Ethics Learner Guide
way of such achievement. In establishing the context, the organization could follow the process
below:
Strategic risk management helps an organization to consider the various uncertainties that affect its
strategy and the execution thereof, and then act on these. It should not only consider the stumbling-
blocks that may prevent the successful execution and implementation of the organization’s
strategies, but also the risks that the implementation of such strategies may bring.
While the assessment and evaluation of strategic risks lie within the standard risk management
processes, the framework should make specific note of when to apply these processes to strategic
risks. This is necessitated by the infrequent nature of strategic risk management, as well as its
importance in ensuring the relevance of the risk management system itself.
The executive leadership team should specify a regular interval at which strategic risks are to be
identified, assessed, and treated. This is often a yearlong cycle, depending on the nature and
complexity of the organization, and often starts and concludes during an annual strategy planning
session. It can be conducted more or less frequently, as needed by the organization.
Strategic risk management should consider the organization’s risk thresholds (risk appetite and risk
tolerance).
Functionaries responsible for this process should be cognizant of the financial and other reporting
deadlines to which the organization must adhere. Therefore, strategic risk management activities
should be added to the organization’s calendar, so that appropriate information can be obtained for
the executive to make an honest and effective appraisal of the organization’s risk profile.
14 | P a g e
Risks and Ethics Learner Guide
In many instances, it is appropriate to use more than one technique or methodology in the risk
assessment process. The depth of assessment depends entirely on the context and will be
determined by the specific risk(s) in question, the availability of reliable data, and the
organization’s decision-making criteria. In addition, some methods and the inclusion of certain
details are prescribed by legislation.
Not all assessments are conducted using purely quantitative, numerical methods. Qualitative and
semi-quantitative methodologies can also be used, in which case rating scales and significance levels
deliver results. For example, a risk can be assessed by combining its probability and consequences
according to established criteria, and categorizing it as a High, Medium, or Low. Alternatively, a
numerical rating scale can be used to estimate the level of risk according to some previously agreed
formulae or calculations.
15 | P a g e
Risks and Ethics Learner Guide
risk evaluation process is obtained. This step is important, as it allows the organization to priorities
its risks, followed by allocating resources appropriately.
It is important to understand that an event or situation can have multiple causes and consequences.
A single event or situation can also affect multiple objectives. In such cases, the risk can be
described using a range of probabilities across a range of circumstances.
The organization’s existing controls should be factored into the risk analysis process, as these will
affect the characteristics of the risk (such as its likelihood and consequences), as well as the extent
to which it has been, or could be mitigated.
In some circumstances the probability of a risk may be extremely low; this may skew the risk analysis
process such that a risk that can have a significant impact on business continuity is unintentionally
accepted. Alternatively, the consequence may be perceived as insignificant, but, in conjunction
with other events, could nevertheless lead to a catastrophic outcome (i.e. The combination of
risks exceeds the risk tolerance). Both situations require sound judgment and insightful appraisal
of the risk, acknowledgement of any personal or cultural bias towards risk, and a rigorous
application of minimum risk thresholds.
Regardless of the type of analysis (e.g., quantitative, or qualitative) undertaken, the calculated level
of risk remains an estimate, and is influenced by a range of factors. These may include human bias in
the evaluation of the risk, or in the design of the risk scoring criteria of automated systems. Sample
sizes are rarely exhaustive, and while relevant statistical techniques should be applied where
appropriate, comprehensive data cannot be guaranteed.
In addition, a level of accuracy and detail should not inadvertently be ascribed to the results.
Throughout the process, good sense and sound judgment must be applied to the models used, and a
rational decision must be made, based on the information available. Here, the insight and
experience of specialists play an important role in checking the outputs of any modeling process, to
make sure they make sense.
16 | P a g e
Risks and Ethics Learner Guide
legal, ethical, financial, or other constraints. The decision that should be taken at this point should
consider the following:
• the priority of a risk and, hence, the urgency with which it should be addressed
• any risks that can be accepted without further action, such as those with very low probability
and impact
• those risks that should be accepted only with the implementation of specific responses
• any immediate decisions that are required to avoid risks that breach specific thresholds
“An entity's strategy and objectives and the way they are implemented are based on
preferences, value judgments, and management styles. Management's integrity and commitment to
ethical values influence these preferences and judgments, which are translated into standards of
behavior. Because an entity’s good reputation is so valuable, the standards of behavior must go
beyond mere compliance with the law. Managers of well-run enterprises increasingly have accepted
the view that ethics pays, and that ethical behavior is good business.”
Risk management emphasizes the importance of ethics in enterprise governance, risk, and
compliance systems.
Ethics risk is an organization of risk in the same way that legal, operational, IT, finance, and HR risks
are. As the non-management of ethics risk could give rise to as many, if not more, reputational, and
financial costs for an organization as any other type of risk, it warrants equal attention. As such,
ethics risk is a component of the broader organizational risk framework. The risk management
processes of an organization are also highly dependent on the ethical culture of the organization to
enable effective risk management.
Case Study
Sean is an outside hire to his new management position. He understands that
risk management is important, and he takes the time to go over the incident
reports and inspect the facility. An employee tells him that one of the
machines needs to be replaced. He says that several employees have come
close to being injured while using it. He states the machine does not shut off
properly. Sean believes that asking for new equipment this soon is not wise.
17 | P a g e
Risks and Ethics Learner Guide
He points out to the employee that there are no incident reports for the
specific piece of equipment. The employee responds that the employees
know to be extra careful on the machine, but it is just a matter of time before
someone is injured. Sean ignored the request, and the complaints from three
other employees. He did nothing about the equipment. Two months later, an
employee thought the machine was turned off and got her hand caught in it.
Define Ethics
At its simplest, ethics is a system of moral principles. They affect how people make decisions and
lead their lives.
Ethics is concerned with what is good for individuals and society and is also described as moral
philosophy.
The term is derived from the Greek word ethos which can mean custom, habit, character, or
disposition.
Our concepts of ethics have been derived from religions, philosophies, and cultures. They infuse
debates on topics like abortion, human rights, and professional conduct.
Approaches to ethics
Philosophers nowadays tend to divide ethical theories into three areas: metaethics, normative ethics
and applied ethics.
Meta-ethics deals with the nature of moral judgement. It looks at the origins and meaning of
ethical principles.
Normative ethics is concerned with the content of moral judgements and the criteria for what is
right or wrong.
Applied ethics looks at controversial topics like war, animal rights and capital punishment
Some philosophers think that ethics does do this. They argue that if a person realises that it would
be morally good to do something then it would be irrational for that person not to do it.
But human beings often behave irrationally - they follow their 'gut instinct' even when their head
suggests a different course of action.
18 | P a g e
Risks and Ethics Learner Guide
However, ethics does provide good tools for thinking about moral issues.
But there's another way of tackling these issues, and that's where philosophers can come in - they
offer us ethical rules and principles that enable us to take a cooler view of moral problems.
So, ethics provides us with a moral map, a framework that we can use to find our way through
difficult issues.
Ethics can pinpoint a disagreement
Using the framework of ethics, two people who are arguing a moral issue can often find that what
they disagree about is just one part of the issue, and that they broadly agree on everything else.
That can take a lot of heat out of the argument, and sometimes even hint at a way for them to
resolve their problem.
But sometimes ethics doesn't provide people with the sort of help that they really want.
Indeed, more and more people think that for many ethical issues there isn't a single right answer -
just a set of principles that can be applied to cases to give those involved some clear choices.
Some philosophers go further and say that all ethics can do is eliminate confusion and clarify the
issues. After that it's up to everyone to come to their own conclusions.
But often there isn't one right answer - there may be several right answers, or just some least worst
answers - and the individual must choose between them.
For others moral ambiguity is difficult because it forces them to take responsibility for their own
choices and actions, rather than falling back on convenient rules and customs.
19 | P a g e
Risks and Ethics Learner Guide
reflects the moral and ethical beliefs and standards that speak to how people should behave and
interact with others.
Cultural norms are the shared, sanctioned, and integrated systems of beliefs and practices that are
passed down through generations and characterize a cultural group. Norms cultivate reliable
guidelines for daily living and contribute to the health and well-being of a culture. They act as
prescriptions for correct and moral behaviour, lend meaning and coherence to life, and provide a
means of achieving a sense of integrity, safety, and belonging. These normative beliefs, together
with related cultural values and rituals, impose a sense of order and control on aspects of life that
might otherwise appear chaotic or unpredictable.
This is where culture intersects with ethics. Since interpretations of what is moral are influenced by
cultural norms, the possibility exists that what is ethical to one group will not be considered so by
someone living in a different culture. According to cultural relativists this means that there is no
singular truth on which to base ethical or moral behaviour for all time and geographic space, as our
interpretations of truths are influenced by our own culture. This approach contrasts with
universalism, which holds the position that moral values are the same for everyone. Cultural
relativists consider this to be an ethnocentric view, as the universal set of values proposed by
universalists are based on their set of values. Cultural relativism is also considered more tolerant
than universalism because, if there is no basis for making moral judgments between cultures, then
cultures have to be tolerant of each other.
Risk has vernacular and technical meanings. In everyday language a risk is simply a danger. But in
relation to science and technology, risk is often defined as the probability of some harm. The
probability of a benefit is often called a chance. According to another common definition, risk is
identified with the value obtained by multiplying the probability of some harm or injury by its
magnitude. With any attempt to spell out the details of how this might be done, however, problems
arise since it is not clear that there is a single measure for all harms or injuries. Attempts have been
made to measure all health effects in terms of quality-adjusted life years (Nord 1999). Risk-benefit
analysis goes one step further and measures all harms in monetary terms (Viscusi 1992). However,
as several critics have pointed out, such unified approaches depend on controversial value
assumptions and may be difficult to defend from an
ethical point of view (Shrader-Frechette 1992).
20 | P a g e
Risks and Ethics Learner Guide
focused on situations in which the morally relevant properties of human actions are both well-
determined and knowable. In contrast, moral problems in real life often involve risk and uncertainty.
According to common moral intuitions it is unacceptable to drive a vehicle in such a way that the
probability is 1 in 10 that one runs over a pedestrian, but acceptable if this probability is 1 in 1
billion. (Otherwise, one could not drive at all.) It is far from clear how standard moral theories can
account for the difference and explain where the line should be drawn.
The purpose of an ethics risk assessment is to identify the beliefs, practices, and behaviors (conduct)
that are either (a) counterproductive to the maintenance of the ethical principles and standards that
regulate desirable relationships among organizational stakeholders, or (b) enablers of such ethical
principles and standards.
When conducting an ethics opportunity-risk assessment, an organization has to engage with its
internal and external stakeholders, to determine (a) stakeholders' perceptions of the organization’s
ethics and (b) what they expect of the organization regarding ethics.
An ethics risk assessment is neither a forensic investigation, nor an ethics audit. It is also not an
opportunity to identify transgressors and engage in a witch-hunt to oust them. It is a research
intervention to ascertain the ethics perceptions and expectations that stakeholders of the
organization hold.
An ethics risk assessment provides an organization with a broad frame of reference within which an
effective ethics management strategy can be formulated. The ethics risk assessment produces a
take on the state of the organization’s ethics; as such, it will provide a general indication if there is a
risk of unethical behavior in the organization. The ethics risk assessment also culminates in an ethics
risk profile, which translates into identification of specific ethics risks, the extent of the prevalence of
the perceived ethics risks, and the ethics risks’ ratings (high, moderate, or low).
An ethics risk assessment only addresses the first step of the risk assessment process of risk
management; that is, the risk identification process (type of ethics risk), the extent (ethics risk
prevalence) to which it is perceived to occur, and the risk rating. As such, it considers neither the
consequences nor impact of risk events occurring, nor the likelihood that the risk event will occur
and the impact it may have on the organization’s objectives. Once the ethics risk assessment has
21 | P a g e
Risks and Ethics Learner Guide
been completed, the ethics office will further analyze and evaluate the ethics risks in conjunction
with the organization’s risk management function. Current control mechanisms to deal with ethics
risks will be factored into this process, as well as further control mechanisms required to ensure
proper ethics risk mitigation. The process culminates in an ethics risk register, which forms an
important part of the organization’s overall risk register.
Next section of this handbook will provide more clarity on the nature and mitigation of ethics risk
identified during an ethics risk assessment and the responsibilities of the respective organizational
role players (ethics practitioners and risk practitioners).
As can be seen from the figure, an impetus has to be provided for the ethics risk assessment to be
commissioned. This impetus is provided either by a triggering event, at the one extreme (e.g., a
corporate scandal - reactive), or an organizational context that is pro-active and seamlessly
integrated with the organization’s strategic and sustainability objectives. The instruction to execute
an organizational ethics risk assessment usually emanates from the governing body or the
committee responsible for ethics governance.
22 | P a g e
Risks and Ethics Learner Guide
The ethics office then proceeds to formulate the ethics risk assessment intervention - this includes
the planning of the process and acquisition of the required financial, human, and other resources.
An appropriate risk assessment methodology is selected (qualitative, quantitative, or a combination
thereof), according to which will yield the most valid and reliable results.
The intended scope and depth of the assessment then informs the identification and prioritization of
stakeholders (e.g., internal and/or external) to be polled in the assessment intervention. The chosen
methodology is then applied, and data obtained. Once all the data has been gathered, it is subjected
to scientific qualitative and/or quantitative data analyses by expert qualitative and/or quantitative
data analysts (the latter being statisticians).
All the data obtained is then integrated in a form that meets the expectations of the intended initial
target audience (e.g., ethics governance committee). The integrated data is then included in a
comprehensive written report, i.e., the organization’s ethics opportunity-risk profile. The profile is
then presented to the source of instruction in written and verbal format.
The duration of an ethics risk assessment could vary from one week for a smaller organization or one
that opted for a dipstick analysis, to several months for a larger organization or one that opted for a
comprehensive assessment. The process is repeated at regular intervals, e.g., a three-year cycle.
Continuous monitoring of the ethics risks is imperative - this happens through collaboration with the
risk function and is guided by the organization’s ethics risk register. Unforeseen incidental risks need
to be dealt with in an ad hoc manner as they arise.
The factors that determine the frequency with which an organization should assess its ethics
opportunities and risk are organization size, number of employees, budget,
Ethics management skills levels within the organization, type of industry, reporting requirements,
and the desired scope and depth of assessment. Typically, a comprehensive and in-depth ethics risk
assessment is conducted every two to three years.
It should be borne in mind that, depending on the scope and depth of the assessment, e.g., whether
both internal and external stakeholders' perceptions and expectations are polled, a risk assessment
process, from the time of the request to the feedback of the results, could take between one and six
months to complete.
The following three broad approaches to determining an ethics risk assessment project's scope and
depth could be utilized:
23 | P a g e
Risks and Ethics Learner Guide
1. 'Dipstick' assessment: a limited number of qualitative interviews (e.g., six, with key internal
stakeholders, including employees) and a quantitative survey Representatively of data
Quantitative: Good Qualitative: Poor
2. Selective assessment: approximately 15 qualitative interviews with key internal stakeholders and
a quantitative survey Representatively of data Quantitative: Good Qualitative: Acceptable
3. Comprehensive analysis:
Approximately 40 qualitative interviews with key internal and external stakeholders
A quantitative survey
Document analyses benchmarking (comparing the organization’s opportunities and risks to
those of other, similar national or international organizations)
The organization’s media exposure, i.e. The quantity and quality of media coverage
afforded to the organization in the recent past, where these reports could either have
enhanced or undermined the organization’s ethics reputation
The most comprehensive results are obtained when using a combined approach of quantitative and
qualitative measures. The popular approach is to first conduct a qualitative assessment. The data
yielded by qualitative methods is analyzed through the application of content analysis
methodologies. The major and sub-themes that emerge from the data analyses inform the
identification of the types of ethics opportunities and risks that exist, or may occur in the
foreseeable future, that could enhance or undermine the ethics Organizations of the organization’s
reputation.
24 | P a g e
Risks and Ethics Learner Guide
the willingness to talk about ethics and ethics challenges, leadership commitment to ethics, and
the ethical treatment of employees.
3. Ethics management risks – this category of ethics risk refers to the presence and perceived
success of ethics management structures, strategies, and interventions. Examples of related
themes include the existence and status of the organization’s code of ethics, the inclusion of
ethics in employee induction (on- boarding) interventions, ethics training conducted, conducting
integrity assessments of prospective employees, integrity assessment of potential employees,
the extent to which ethical behavior is appraised in performance management systems, and the
existence of ethics helpdesks and safe reporting facilities.
What? They do not identify the How much? i.e., the prevalence or perceived frequency or intensity
of occurrence. It also does not yield information on the potential impact or likelihood of occurrence.
A quantitative assessment therefore needs to be applied after the qualitative assessment, where the
themes (ethical conduct risks) that emerged from the qualitative assessment inform the contents of
the items of a questionnaire or survey. The questionnaire is then used to assist the organization in
determining the extent to which the themes are perceived to occur or ay occur in future. A risk
rating exercise is then conducted, which will yield risk ratings of high, moderate, or low.
To further the example used above: supplier relations and its sub-themes as potential risks can now
be assessed in quantified terms. See the table below for an example.
25 | P a g e
Risks and Ethics Learner Guide
The quantitative assessment may also be used to assess the extent to which the organization is
perceived to deal with these risks without delay, should they occur, e.g., the extent to which
unethical behavior (conduct), when it occurs, is encouraged, condoned, ignored (turning a blind
eye), discouraged but not dealt with, or discouraged and dealt with effectively. A further use of such
a quantitative assessment may be to assess whether the respondents to the survey are familiar with
policies that exist in the organization to deal with such behaviors
Should the ethics Organizations of the organizational culture be weak or underdeveloped, prevailing
beliefs, practices, and behaviors become an ethics risk. Ethical culture risks could therefore also be
addressed by means of the ethics risk survey. See the table below for an example.
I don't
Ethics management risk
Yes No know
The value of qualitative data obtained through the qualitative Organizations of ethics risk
assessment interventions should never be negated, as the data reflects the true opinions that
respondents offer freely, as opposed to data obtained through surveys, where respondents provide
answers only within the parameters of what is offered to them.
Risk rating
Quantitative data is easily interpreted using a risk rating scale. As an example, the scale below
utilizes agreement scores (in terms of responses to ethics risk surveys) and could be used to present
the ethics opportunities and risks (threats) to which an organization may be exposed.
26 | P a g e
Risks and Ethics Learner Guide
Low risk areas refer to issues (or behaviors) where respondents Disagree or strongly disagree that
these issues are prevalent in (or relevant to) the organization. Moderate risk areas refer to issues (or
behaviors) where respondents only slightly disagree or slightly agree that these issues are prevalent
in (or relevant to) the organization. High risk areas refer to issues (or behaviors) where respondents
Agree or strongly agree that these issues are prevalent in (or relevant to) the organization.
All moderate and high risks should be brought to the attention of the organization’s risk function,
who, in turn, could integrate these risks into the portfolio of organizational risks to be managed.
furthermore, an organization could, for example, identify its top 5 to 10 high risk areas, and label
these material ethics risks, or risks that could undermine the organization’s efforts to reach its
objectives through the implementation of organizational strategies. These material ethics risks will
also then resort within the ethics Organizations of the ethics committee's mandate. This process
will be clearly illustrated in the case study and ethics risk management toolbox, to be presented in
other section of the handbook.
Strategy
Once an organization has assessed its ethics opportunities and risks, it can proceed to meaningfully
utilize, in a structured way, the information obtained. As such, the type of ethics management
strategy required to capitalize on opportunities and mitigate negative risks could be informed by
the results of the risk assessment.
For example, should an organization decide on a compliance strategy to deal with the risk supplier
relations, it would translate this strategy into an ethics management plan designed to strictly
monitor and regulate relations with suppliers. On the other hand, an integrity- or values-based
strategy could focus on regular values-based discussions as a component of the organization’s more
encompassing stakeholder relations drive, rather than adopting many rules and policies and
following a punitive approach.
It is also then required to link the codes and policies to the ethics management strategy that is
deemed appropriate for the organization now. For example, a compliance strategy would have at its
core a code of ethics with a strong directional/rules-based focus. Such a code will contain clear
guidelines on how suppliers should be treated, and how suppliers are expected to act in accordance
with organizational prescripts. Moreover, stringent procurement policies and processes that
provide specific guidance on how to manage supplier relations need to be formulated. At a micro
level, the finance function (creditors) would have very specific rules regarding when suppliers should
be paid, e.g., within 25 days of submitting an invoice. Some organizations have specific clauses
included in supplier contracts, according to which suppliers are expected to adhere to the
27 | P a g e
Risks and Ethics Learner Guide
organization’s ethics requirements. A gift registry system must be implemented and closely
monitored, to prevent employees from accepting irregular or expensive gifts from suppliers.
Should an integrity- or values-based strategy be followed, the code of ethics would have an
inspirational character, whereby values-based guidelines on the treatment of business partners (e.g.,
suppliers) will be provided in broad terms. In this example, procurement policies that have room for
discretion would probably be formulated.
Institutionalizing ethics
The formulation of appropriate codes and policies to utilize ethics opportunities and mitigate
negative risks is followed by the institutionalization of ethics guidelines contained in codes and
policies. Specific ethics awareness programs and dedicated ethics training programs must be
designed and implemented for the organization’s employees, specifically those in the procurement
function, and for suppliers/contractors alike.
A critical consideration for ethics practitioners is that ethics must be strategically incorporated into
the existing business processes of the organization. It is thus imperative that the ethics office form
a partnership with the risk managers. Since risk managers are the custodians of all risks in an
organization, they enjoy the respect and co-operation of colleagues. They report to an oversight
structure (e.g., risk and/or audit committee(s) of the board). Therefore, an ethics risks register
should be compiled after an ethics opportunity-risk assessment has been conducted. This action
should be executed through a joint effort of the risk manager and the ethics officer. Through this
approach, the ethics risks will be incorporated into the organization-wide risk management
framework (managed by risk managers).
The risk manager will facilitate the identification of ethics risks, and then develop an ethics risk
register. The risk owners, typically line managers, will be
identified based on the issues that emanate from the
ethics risk assessment, and these will be communicated to
them. Action plans are then developed (largely ethics programs
that the risk owner will have to implement in conjunction with
the ethics officer), and timelines will be allocated. For example,
in the case of the supplier relations risk, the risk area gifts from
suppliers will be appropriated by the risk manager, while line
managers, particularly those in the procurement function, would become the risk owners.
28 | P a g e
Risks and Ethics Learner Guide
The main premise upon which research ethics is based is to avoid harm to subjects. This is
irrespective of the research methodology adopted for the assessment process, i.e., qualitative
and/or quantitative. In the attempt to avoid harm, the following research ethics principles should be
accounted for during an ethics risk assessment process:
Content
Researchers and, in this case, ethics risk assessors have an ethical obligation to ensure that nothing,
but the organization’s ethics risk is measured. This will result in sound face validity (items/question
are perceived by subjects as assessing ethics risks, nothing else) and construct validity (ethics risk as
a construct is indeed measured). The questions posed to subjects during an ethics risk assessment
intervention, whether in interviews or as items in a quantitative survey, should also be non-invasive.
This implies that subjects should not be psychologically uncomfortable responding to questions, nor
be hesitant to expose 'their inner selves' during the assessment process. Questions should be
formulated in such a way that perceptions are assessed, not personal integrity or propensity for
ethical or unethical behavior. In both quantitative and qualitative ethics risk assessments, subjects
should all be asked the same questions, as this will ensure assessment reliability.
29 | P a g e
Risks and Ethics Learner Guide
Objectivity
For an ethics risk assessment to be objective and to be perceived as objective by the organization
and its participating stakeholders, it is advisable to utilize an independent third-party organization
and its interviewers/facilitators as the assessing entity. Research subjects are less reluctant to share
sensitive information pertaining to ethics risks with an objective third party that has no vested
interest in the outcome of the risk assessment. Interviewers and facilitators should be properly
trained, to ensure a professional and objective assessment.
Informed consent
Research subjects, i.e., participants (the term that applies to qualitative assessment) and
respondents (applicable in quantitative assessment), should be informed of:
1. how they were selected to participate in the assessment (preferably through a random selection
by, e.g., employee number)
2. what the assessment will entail in terms of process and content
3. how the results will be used by the organization
4. the fact they will receive feedback once the results of the assessment have been shared with the
organization’s senior leadership
5. the voluntary nature of their participation
6. their right to withdraw from the assessment at any time, without consequences\
7. the source that they should contact should any item or procedure in the assessment process be
unclear
8. the fact that, by participating in the assessment process, they automatically give their informed
consent
It is crucial that subjects are informed by the chief executive officer about the imminence and nature
of the assessments well prior to commencement.
Anonymity
The cardinal rule is that subjects should never suspect that their identity could be revealed in any
way. Demographic information solicited in quantitative surveys should be limited to information
that will be essential to decision-makers involved in risk mitigation. Respondents should not be
required to surrender personal information such as names or employee numbers. Participants in
interviews should be well briefed on their ethical rights. In the case of group interviews, facilitators
should clearly communicate that the participants' identities are of no importance, but that obtaining
their perceptions of ethics opportunities and risks that occur in the organization is the true objective
of the assessment process. The use of attendance registers should be avoided. As an ethics risk
assessment is not a forensic investigation, participants should be discouraged from identifying ethics
transgressors, but should rather focus on the type and frequency of ethical transgressions.
Confidentiality
All information obtained, demographic or otherwise, should be always kept absolutely confidential.
Surveys should be hosted by external, independent data- hosting service providers, and should
preferably not be channeled via the organization’s IT function. Trends or patterns of behavior should
be reported in the risk profile documents and during feedback sessions, rather than who did what
when.
30 | P a g e
Risks and Ethics Learner Guide
31 | P a g e
Risks and Ethics Learner Guide
Explaining the option, you have decided on to those affected and to other interested parties:
• requires you to act in a way that your client, or another party, may not like or may find difficult
to understand
• requires you to be able to justify your actions in a logical and straightforward manner - if you
cannot explain your actions, then it is more likely that you are acting based on your feelings or
prejudices
• will often require you to have kept excellent records that note the essentials of what the issue
was, what you did to resolve it, the options you considered and how you communicated your
decision to those affected.
32 | P a g e
Risks and Ethics Learner Guide
Ethics of Governance
Organizations Data is committed to ethical and lawful business conduct in all countries in which it
operates. We believe that an integrated approach to governance, ethics, risk, and compliance
strengthens our values and promotes our objectives as a responsible business.
Ethics policy
Organizations Data is committed to ethical and lawful business conduct in all countries in which it
operates. We believe that an integrated approach to governance, ethics, risk, and compliance
strengthens our values and promotes our objectives as a responsible business. All business dealings
are carried out with transparency and integrity. We encourage our employees to uphold our
principles, values, and ethics policy. We provide guidelines to explain what is expected of every
person who works for Organizations Data, irrespective of where we do business.
Organizations Data’s practice of responsible corporate behavior includes:
• compliance with all laws and regulations
• zero tolerance for corrupt or illegal practices
• an anti-bribery and corruption policy which states that bribes and
other illicit payments may not be paid or accepted
• a policy which specifies the giving and acceptance of business gifts
and hospitality
• maintaining the confidentiality of clients’ information and personal data
• not participating in any conduct that constitutes anti-competitive behavior
• not permitting directors or employees to engage in business on behalf of Organizations Data
with organizations in which they have a material interest, without full disclosure
Organizations Data’s Group Ethics and Compliance Committee reports to the Audit Committee on all
aspects of the Group’s compliance with relevant laws, regulations, external policies, as well as with
its own internal policies and procedures for ethical business practices. Our Compliance office
manages an ethics and compliance programme which provides guidance on business conduct and
ethics and conducts periodic compliance reviews.
33 | P a g e
Risks and Ethics Learner Guide
approach is that these risks are now visible to every stakeholder in the organization with access to
the system. Instead of this vital information being locked away in a report which must be requested
via email, anyone who wants to see which risks have been identified can access the information in
the risk management system.
34 | P a g e
Risks and Ethics Learner Guide
everyone. Computers are also much better at continuously monitoring risks than people. Monitoring
risks also allows your business to ensure continuity. We can tell you How you can create a risk
management plan to monitor and review the risk.
Risk management is an important business practice that helps businesses identify, evaluate, track,
and improve the risk mitigation process in the business environment. Risk management is practiced
by the business of all sizes; small businesses do it informally, while enterprises codify it. Businesses
want to ensure stability as they grow. Managing the risks that are affecting the business is a critical
part of this stability. Not knowing about the risks that can affect the business can result in losses for
the organization.
Being unaware of a competitive risk can result in loss of market share, being unaware of financial risk
can result in financial losses, being aware of a safety risk can result in an accident, and so on.
Businesses have dedicated risk management resources; small businesses may have just one risk
manager or a small team while enterprises have a risk management department. People who work
in the risk management domain monitor the organization and its environment. They look at the
business processes being followed within the organization, and they look at the external factors
which can affect the organization one way or the other. A business that can predict a risk will always
be at an advantage. A business that can predict a financial risk will limit its investments and focus on
strengthening its finances.
A business that can assess the impact of a safety risk can devise a safe way to work which can be a
major competitive advantage. If we think of the business world as a racecourse then the risks are the
potholes which every business on the course must avoid if they want to win the race. Risk
management is the process of identifying all the potholes, assessing their depth to understand how
damaging they can be, and then preparing a strategy to avoid damages. A small pothole may simply
require the business to slow down while a major pothole will require the business to avoid it
35 | P a g e
Risks and Ethics Learner Guide
completely. Knowing the severity of a risk and the probability of risk helps businesses allocate their
resources effectively. If businesses understand the risks that affect them then they will know which
risks need the most attention and resources and which ones the business can disregard. Risk
management allows businesses to act proactively in mitigating vulnerabilities before any major
damage is incurred. There are different types of risk management strategies and solutions for
different types of risks.
36 | P a g e
Risks and Ethics Learner Guide
The Risk Universe has listed 65 business processes, but not all of these would necessarily be
applicable to your business, so you would need to select those that are applicable and consider only
those specifically for your business.
For example:
If your business does not sell on credit, you could eliminate the Debtors Business Process, or
37 | P a g e
Risks and Ethics Learner Guide
If your business only buys for cash, you could eliminate the Creditors Business Process.
Risk analysis
The second step in the Risk Management Process is Risk Analysis and for this we consider an extract
from Definition – viz. The process of c. analyzing and ranking the importance of the identified risks
Once you have identified the business processes that are applicable to your business, and you have
defined the objectives of each of these business processes, and have identified the risks that could
prevent you from achieving these objectives, you need to analyze the risk and rank these according
to:
The Likelihood that the risk will occur, and
The Impact that the risk will have if it does occur
An example of how a risk analysis could be used is depicted in Figure below, which shows the Risk of
Impact that the Reserve Bank uses as a frame of referencing.
38 | P a g e
Risks and Ethics Learner Guide
The more traditional way to depict the risk analysis is in a Risk Matrix, where the Impact is depicted on one
axis and the Likelihood on the other axis. In this type of scatter graph each risk is mapped according to the
Impact and the Likelihood as rated by management during the risk assessment and the risk rating is drawn
from the shading on the graph, according to the block in which it falls. (See Figure 5.2 below).
Thus, if the impact of a specific risk was rated as 2 and the likelihood was also rated as 2, the risk rating would
be in block 6 and thus a Low Risk. Likewise, if the impact was rated as 4 and the likelihood rated as a 3, the
risk rating would fall into Block 18 and would thus be rated as Medium Risk. Similarly, if the impact was
rated as 5 and the likelihood rated as a 5, the risk rating would fall into Block 25 and would thus be rated as
High Risk.
Traditionally the risk rating is on a scale of 3 with High, Medium, or Low as the ratings, but some
practitioners add an additional category of extreme or some similar name for blocks 23 to 25. However, it is
submitted that, this adds an unnecessary level of complexity, as the reaction to a high risk and an extreme
risk should be similar as both should trigger alarm at Board level and require immediate reaction. Also, some
risk practitioners use a scale of 1 to 10, which may lead to a lot of discussion on each point which is not
beneficial to the risk analysis process.
39 | P a g e
Risks and Ethics Learner Guide
40 | P a g e
Risks and Ethics Learner Guide
looking at and considering; Your accident and ill-health record; non-routine operations; Long-term
hazards to health.
41 | P a g e
Risks and Ethics Learner Guide
Frequency, scope, and depth of ethics and risk assessment Risk rating (Mitigation
process)
All companies face risk; without risk, rewards are less likely. The flip side of this is that too much risk
can lead to business failure. Risk management allows a balance to be struck between taking risks and
reducing them.
Effective risk management can add value to any organization. In particular, companies operating in
the investment industry rely heavily on risk management as the foundation that allows them to
withstand market crashes.
An effective risk management framework seeks to protect an organization's capital base and
earnings without hindering growth. Furthermore, investors are more willing to invest in companies
with good risk management practices. This generally results in lower borrowing costs, easier access
to capital for the firm, and improved long-term performance.
Effective risk management plays a crucial role in any company's pursuit of financial stability and
superior performance. The adoption of a risk management framework that embeds best practices
into the firm's risk culture can be the cornerstone of an organizations' financial future.
There are at least five crucial components that must be considered when creating a risk
management framework. They include risk identification; risk measurement and assessment; risk
mitigation; risk reporting and monitoring; and risk governance.
Risk Identification
The first step in identifying the risks a company faces is to define the risk universe. The risk universe
is simply a list of all possible risks. Examples include IT risk, operational risk, regulatory risk, legal risk,
political risk, strategic risk, and credit risk.
After listing all possible risks, the company can then select the risks to which it is exposed and
categorize them into core and non-core risks. Core risks are those that the company must take in
order to drive performance and long-term growth. Non-core risks are often not essential and can be
minimized or eliminated completely.
42 | P a g e
Risks and Ethics Learner Guide
Risk Measurement
Risk measurement provides information on the quantum of either a specific risk exposure or an
aggregate risk exposure and the probability of a loss occurring due to those exposures. When
measuring specific risk exposure it is important to consider the effect of that risk on the overall risk
profile of the organization.
Some risks may provide diversification benefits while others may not. Another important
consideration is the ability to measure an exposure. Some risks may be easier to measure than
others. For example, market risk can be measured using observed market prices, but measuring
operational risk is considered both an art and a science.
Specific risk measures often give the profit and loss ("P/L") impact that can be expected if there is a
small change in that risk. They may also provide information on how volatile the P/L can be. For
example, the equity risk of a stock investment can be measured as the P/L impact of the stock as a
result of a 1 unit change in, say, the S&P500 index or as the standard deviation of the particular
stock.
Common aggregate risk measures include value-at-risk (VaR), earnings-at-risk (EaR), and economic
capital. Techniques such as scenario analysis and stress testing can be used to supplement these
measures.
Risk Mitigation
Having categorized and measured its risks, a company can then decide on which risks to eliminate or
minimize, and how much of its core risks to retain. Risk mitigation can be achieved through an
outright sale of assets or liabilities, buying insurance, hedging with derivatives, or diversification.
Risk Governance
Risk governance is the process that ensures all company employees perform their duties in
accordance with the risk management framework. Risk governance involves defining the roles of all
employees, segregating duties, and assigning authority to individuals, committees, and the board for
approval of core risks, risk limits, exceptions to limits, and risk reports, and also for general
oversight.
43 | P a g e
Risks and Ethics Learner Guide
the concern. Risk identification is the critical first step of the risk management process depicted in
the figure below.
The objective of risk identification is the early and continuous identification of events that, if they
occur, will have negative impacts on the project's ability to achieve performance or capability
outcome goals. They may come from within the project or from external sources.
There are multiple types of risk assessments, including program risk assessments, risk assessments
to support an investment decision, analysis of alternatives, and assessments of operational or cost
uncertainty. Risk identification needs to match the type of assessment required to support risk-
informed decision making. For an acquisition program, the first step is to identify the program goals
and objectives, thus fostering a common understanding across the team of what is needed for
program success. This gives context and bounds the scope by which risks are identified and assessed.
Risk Rating is assessing the risks involved in the daily activities of a business and classifying them
(low, medium, high risk) on the basis of the impact on the business. It enables a business to look for
control measures that would help in curing or mitigating the impact of the risk and in some cases
negating the risk altogether.
In situations where the risk cannot be mitigated or negated the business has to accept that the risk is
open and there are no control functions to curb the impact. It depends on the likelihood of the risk
event occurring and the severity of the impact on the business and its employees.
44 | P a g e
Risks and Ethics Learner Guide
Risk is rated on the impact on the business which can be economic or reputational and its likelihood
of occurring in the near future. This is the common pattern of risk across businesses.
Likelihood Rating
This rates the risk on the basis of its recurrence which can change depending on the type of the
business that is being considered. For example, for a fast-food company, a frequent likelihood rating
will be something that can happen every day whereas for an investment bank it would be something
that happens in a month or so.
Frequent
Likely
Possible
Unlikely
Rare
It is important to differentiate between 'feelings', 'laws', 'social norms' and 'ethics'. Many times,
people tend to equate ethics with their feelings. However, being ethical is not always a matter of
following one's feelings. A person following his or her feelings may shy away from doing what is
right. In fact, feelings frequently deviate from what is ethical. Furthermore, being ethical is also not
always the same as following the law. The law often incorporates ethical standards to which most
citizens subscribe. But laws, like feelings, can deviate from what is ethical. One example is America's
own pre-Civil War slavery laws that are grotesquely obvious examples of laws that deviate from
what is actually ethical. Finally, being ethical is not the same as doing "whatever society accepts." In
any society, most people accept standards that are, in fact, ethical. But standards of behavior in
45 | P a g e
Risks and Ethics Learner Guide
society can deviate from what is ethical. An entire society can become ethically corrupt. Nazi
Germany is a good example of a morally corrupt society.
What, then, is ethics? First, ethics refers to standards of right and wrong
that prescribe what humans ought to do, usually in terms of rights,
obligations, benefits to society, fairness, or specific virtues. Ethical
standards include standards relating to rights, such as the right to life, the right to freedom from
injury, and the right to privacy. Such standards are adequate standards of ethics because they are
supported by consistent and well-founded reasons.
Secondly, ethics refers to the study and development of one's ethical standards. As mentioned
above, feelings, laws, and social norms can deviate from what is ethical. So, it is necessary to
constantly examine one's standards to ensure that they are reasonable and well-founded. Ethics also
means, then, the continuous effort of studying our own moral beliefs and our moral conduct, and
striving to ensure that we, and the organizations we help to shape, live up to standards that are
reasonable and solidly-based.
Handout sample at the end of the Learning: Worksheet for Ethical Deliberation
This worksheet has been designed to assist advisers to make professional and ethically responsible
decisions, by encouraging them to think about their own ethical standards in a professional context,
and reflecting on the following questions:
What are ethics? Why are they important?
What ethical behaviors do I think are important to display as an adviser?
How do my decisions affect my clients and others?
Methodology
With reference to the flowchart below, write under each heading the relevant points that apply to
the ethical situation that you are trying to resolve.
46 | P a g e
Risks and Ethics Learner Guide
Do I have choices?
What is at stake?
47 | P a g e
Risks and Ethics Learner Guide
Explain my actions – I should be able to justify them in a logical and straightforward manner
I should have kept records of my decision – now also keep a record of how I communicate my decision to those
affected
48 | P a g e
Risks and Ethics Learner Guide
Principle 2: The governing body should determine the levels of risk tolerance/appetite
At least once a year, the governing body should set specific limits for the levels of risk the
organization is able to tolerate in pursuit of its objectives. The governing body may also set limits
regarding the organization’s risk appetite, i.e., those risks that the governing body desires or is
willing to take. The limits are both financial and non- financial, and instances of the risk appetite
limits exceeding or deviating materially from the risk tolerance limits should be disclosed in the
integrated annual report.
Principle 3: The risk committee or audit committee should assist the governing body in
carrying out its risk responsibilities
To assist it in the discharge of its duties and responsibilities with regard to risk management, the
governing body should appoint a risk committee to review the risk management process and its
maturity, the effectiveness of the risk management activities, the key risks facing the company, and
the responses to those risks. This may be assigned to the audit committee, if it has the capacity. The
risk committee may appoint independent risk experts to supplement skills and experience.
49 | P a g e
Risks and Ethics Learner Guide
Principle 5: The governing body should ensure that risk assessments are performed
on a continual basis.
The governing body in the organisation should ensure that the organisation has and maintains an
effective ongoing risk assessment process consisting of risk identification, risk quantification, and
risk evaluation. Following the risk assessment process, risks and opportunities should be prioritized
and ranked, to ensure a focus on the most critical risk responses.
Principle 6: The governing body should ensure that frameworks and methodologies
are implemented, to increase the probability of anticipating unpredictable risks.
The risk assessment process should be of such a nature that it can help the organization to
anticipate systemic, aggregated, consequential, and other unpredictable risks.
Principle 7: The governing body should ensure that management considers and
implements appropriate risk responses.
Management should identify and consider different ways in which the organisation can respond to
the risks identified during the risk assessment process, and the governing body should ensure that
those responses are in place.
The three principles that address the monitoring, assurance, and disclosure of risk are:
Principle 9: The governing body should receive assurance regarding the effectiveness
of the risk management process.
Management is accountable for providing the governing body with assurance that it has
implemented and monitored the risk management plan, and that it is integrated into the
organisation's daily activities. Each year, an independent assurance provider should provide a
written assessment of the effectiveness of the system of internal control and risk management
to the authority.
50 | P a g e
Risks and Ethics Learner Guide
It is the foundational departure point of this handbook that ethics risks are on an equal footing
with other organisational risks (e.g., financial, operational, legal, IT-, and HR risk) in terms of
the potential monetary and reputational damage they can cause if not managed properly. It
therefore stands to reason that the principles discussed above are equally applicable to ethics
risk as they are to other categories of risk. The management of ethics risk requires a dedicated:
Governance management encourages efficient use of resources and accountability for the
stewardship over those resources. One of the key components of governance management is to
align the interests of individuals, the organization, and society. Governance management
encompasses setting goals and objectives, determining ethical standards, establishing the intended
culture, ensuring compliance, and designing and implementing the governance framework.
It is important for boards to manage governance because it creates efficiency in the work that they
do. In addition, good governance practices highlight instances of errors and problems. By flagging
potential issues, boards have the chance to respond quickly and appropriately. A focus on good
governance holds the board accountable for improving efficiency, which also lends itself to reducing
costs. When boards practice good governance, all processes run smoothly. There is less chance of
crisis where the board needs to react rather than act and they have the proper time to be
51 | P a g e
Risks and Ethics Learner Guide
responsible in their acts and decision-making. Organizations that have a culture that supports good
governance practices are more likely to offer quality products and services that meet the demands
and expectations of the public.
Good governance lends assurance to shareholders and stakeholders that the organization is being
transparent about their finances and conduct and that they’re treating all people with dignity and
respect. Best practices result from good governance and create a framework where all companies
and organizations can measure themselves against.
Good governance assures us of many things including that it reduces risk and prevents fraud and
unscrupulous behavior. When we put it all together, good governance leads to growth and success
which is the whole reason for organizations to form in the first place.
Risk committee
The Risk Committee (the “Committee”) is an independent committee of the Board of Directors that
has, as its sole and exclusive function, responsibility for the oversight of the risk management
policies and practices of the Corporation’s global operations and oversight of the operation of the
Corporation’s global risk management framework.
The global risk management framework shall be commensurate with the structure, risk profile,
complexity, activities, and size of the Corporation and include:
the Corporation’s Policies and procedures establishing risk management governance, risk
management procedures, and risk control infrastructure for global operations; and the Corporation’s
processes and systems for implementing and monitoring compliance with such policies and
procedures, including
(i) identifying and reporting of risks and risk management deficiencies, including emerging
risks, and ensuring effective and timely implementation of actions to address emerging
risks and risk management deficiencies for the Corporation’s global operations;
(ii) establishing managerial and employee responsibility for risk management;
(iii) ensuring the independence of the risk management function; and
(iv) integrating risk management and associated controls with management goals and the
Corporation’s compensation structure for its global operations.
The Committee will assist the Board of Directors in fulfilling its oversight responsibilities about the
risk appetite of the Corporation, the Corporation’s risk management and compliance framework,
and the governance structure that supports it. Risk appetite is defined as the level and type of risk a
firm is able and willing to assume in its exposures and business
activities, given its business objectives and obligations to
stakeholders.
52 | P a g e
Risks and Ethics Learner Guide
The Committee will have the resources and authority appropriate to discharge its responsibilities,
including sole authority to retain and terminate the engagement of such consultants or independent
counsel to the Committee as it may deem necessary or helpful in carrying out its responsibilities, and
to establish the fees and other terms for the retention of such consultants and counsel, such fees to
be borne by the Corporation.
Is not an officer or employee of the Corporation and has not been an officer or employee of the
Corporation during the immediately preceding three-year period;?
Is not a member of the immediate family of a person who is, or who has been within the last
three years, an executive officer of the Corporation; and
Is an independent director under Securities and Exchange Commission standards.
Except as limited by law, regulation or the rules of the New York Stock Exchange, the Committee
may form subcommittees for any purpose that it deems appropriate and may delegate to such
subcommittees or to members of the Corporation's management such power and authority as it
deems appropriate, provided, however, that any such subcommittees shall meet all applicable
independence requirements and that the Committee shall not delegate to persons other than
independent directors any functions that are required — under applicable law, regulation, or stock
exchange rule — to be performed by independent directors.
The Committee shall meet as frequently as necessary to fulfill its duties and responsibilities, but not
less frequently than quarterly. A meeting of the Committee may be called by its chair or any two
members of the Committee.
The Committee shall coordinate with the Audit Committee of the Board (which may be done through
the Chairs of each Committee) to ensure that each Committee has received and, when appropriate,
discussed the information necessary to fulfill their respective responsibilities and duties with respect
to areas of common interest. These areas may include, among other matters, the Corporation's
methods for identifying and managing risks, and significant matters including, but not limited to,
investment portfolio issues, frauds, regulatory enforcement actions, litigation or whistleblower
matters, and technology issues.
53 | P a g e
Risks and Ethics Learner Guide
The Committee may request any officer or employee of the Corporation, or any special counsel or
advisor, to attend a meeting of the Committee or to meet with any members of, or consultant to,
the Committee. The agenda for each Committee meeting will provide time during which the
Committee can meet separately in executive session as a committee. As needed, the Committee may
meet with management, the Chief Risk Officer, the Chief Compliance Officer, and the independent
auditors during such executive sessions.
The Committee shall fully document and maintain records of its proceedings, including risk
management decisions. Minutes of its meetings will be approved by the Committee and maintained
on its behalf. The Committee shall report its activities to the Board of Directors on a regular basis
and make such recommendations as it deems necessary or appropriate.
Except to the extent subject to the jurisdiction of another committee of the Board of Directors
pursuant to that committee's charter, the Committee will also have the responsibility to:
Review the scope of work of Risk and Compliance and its planned activities with respect to the
risk management and compliance activities of the Corporation.
54 | P a g e
Risks and Ethics Learner Guide
Annually, or at other appropriate intervals, review and approve the compensation of the Chief
Risk Officer, as recommended by the Chief Executive Officer and/or the Human Resources and
Compensation Committee;
Receive from management regular updates regarding corporate-wide compliance with laws and
regulations;
Review the Corporation’s capital adequacy, capital planning process, stress testing and related
activities;
Escalate to Audit Committee members any items that have a significant financial statement
impact or require significant financial statement/regulatory disclosures; and
Escalate to Audit Committee members other significant issues, including, but not limited to,
significant compliance issues, as soon as deemed necessary by the Committee.
55 | P a g e
Risks and Ethics Learner Guide
The above figure illustrates the interface between the risk management function and the ethics
management function in the organization. As previously mentioned, ethics risk is a specific category
of risk that ideally needs to be addressed by the risk management function, in co-operation with the
ethics office.
56 | P a g e
Risks and Ethics Learner Guide
c) incorporates the ethics risk register into the organizational risk register
d) reports on all risks to the audit and/or risk committee(s) of the governing body
8. The audit and/or risk committee report(s) to the governing body on all risks identified and
managed.
9. The governing body evaluates all organizational risks.
10. The governing body, through the CEO, delegates responsibility for developing/
managing/monitoring the risk management plan to management. That is, it instructs the risk
management function and/or the ethics office to become the risk owners that deal with the
mitigation of risks. The risk owners then report to their respective committees at the end of the
next reporting cycle.
11. The ethics officer plays an important role in ensuring that there is a management plan for
material ethics risks (the ethics risk management plan is incorporated into the risk management
plan).
12. The risk management policy indicates when these plans are submitted to the chief risk officer,
and how/when reporting on progress takes place.
13. The ethics officer or chair of the ethics governance committee may be called to report on the
progress of the ethics management strategy and plan; presentations are usually also required
by the governing body, its sub-committees, e.g., audit and/or risk committee(s) (the same
applies to the OHS officer, and the OHS committee.)
14. The risk management function may not be directly involved in the mitigation of ethics risks or
drafting of ethics risk response plans, but is involved in the facilitation of the process, and
advise on the operationalization of the frameworks. This is usually the function of the risk
owner, which, in the case of ethics risks, could be the ethics officer and/or line management of
other organizational functions.
15. Line managers act as the owners of both risks and ethics risks; they deal with the day-to-day
management of risks and are more 'hands-on.'
16. Risk owners also determine the impact of risks, whereas the risk management function is
responsible for the monitoring and evaluation of risks.
Should the organization not have a dedicated ethics office, the ethics risks identified need to be
dealt with by the organizational risk management function.
The fundamental reasons why organisations should adopt good governance practices include:
To preserve and strengthen stakeholder confidence – nothing distracts an organisation more
than having to deal with a disgruntled stakeholder group caused by a lack of confidence in the
governing body. And on the positive side, a supportive stakeholder base can generate benefits
for the organisation though social and emotional support, intangible but very valuable attributes
that all organisations should strive to achieve and sustain.
57 | P a g e
Risks and Ethics Learner Guide
To provide the foundation for a high-performing organisation – the achievement of goals and
sustainable success requires input and support from all levels of an organisation. The Board,
though good governance practices, provides the framework for planning, implementation and
monitoring of performance and without a foundation to build high performance upon, the
achievement of this goal becomes problematic. Achievement of the best performance and
results possible, within existing capacity and capability, should be an organisation’s on-going
goal. Good governance should support management and staff to be “the best they can be”
To ensure the organisation is well placed to respond to a changing external environment –
business today operates in an environment of constant change. Technology has created an
information age that has transformed our world, and for business to both survive and remain
profitable to enable it to fulfil its mission and achieve its vision, a system has to be in place to
assist an organisation to identify changes in both the external environment and emerging trends.
This process of understanding our changing world does not happen by chance, it requires
leadership, commitment and resources from the governing body to establish and maintain such
a system within the organisation. Change generally does not happen “over-night”, it is there for
all to see if they have in place a system for looking. Governing bodies, as the ultimate leaders of
an organisation, should take prime responsibility for this activity.
Fraud
Fraud is an intentionally deceptive action designed to provide the perpetrator with an unlawful gain or to deny
a right to a victim. Types of fraud include tax fraud, credit card fraud, wire fraud, securities fraud, and
bankruptcy fraud. Fraudulent activity can be carried out by one individual, multiple individuals or a business
firm as a whole.
Fraud involves the false representation of facts, whether by intentionally withholding important information or
providing false statements to another party for the specific purpose of gaining something that may not have
been provided without the deception.
Often, the perpetrator of fraud is aware of information that the intended victim is not, allowing the
perpetrator to deceive the victim. At heart, the individual or company committing fraud is taking advantage of
information asymmetry; specifically, that the resource cost of reviewing and verifying that information can be
significant enough to create a disincentive to fully invest in fraud prevention.
Both states and the federal government have laws that criminalize fraud, though fraudulent actions may not
always result in a criminal trial. Government prosecutors often have
substantial discretion in determining whether a case should go to
trial and may pursue a settlement instead if this will result in a
speedier and less costly resolution. If a fraud case goes to trial, the
perpetrator may be convicted and sent to jail.
58 | P a g e
Risks and Ethics Learner Guide
Fraud also occurs in the insurance industry. Thoroughly reviewing an insurance claim may take so many hours
that an insurer may determine that a more cursory review is warranted considering the size of the claim.
Knowing this, an individual may file a small claim for a loss that didn’t really occur. The insurer may decide to
pay the claim without thoroughly investigating since the claim is small. In this case, insurance fraud has been
conducted.
The Federal Bureau of Investigation (FBI) describes securities fraud as criminal activity that can include high
yield investment fraud, Ponzi schemes, pyramid schemes, advanced fee schemes, foreign currency fraud,
broker embezzlement, pump-and-dumps, hedge fund related fraud, and late-day trading. In many cases, the
fraudster seeks to dupe investors through misrepresentation and to manipulate financial markets in some way.
These crimes are characterized by providing false or misleading information, withholding key information,
purposefully offering bad advice, and offering or acting on inside information.
The governance responsibility of an organisation rests with the Board, however in practical terms
everyone plays their own part.
Good governance is crucial to an organisation’s success and is not something to be feared. In social
enterprise, that success has an impact on the communities in which it operates. Governance does
not have to be complicated, and is equally important for organisations of all sizes. Governance is not
just about compliance, structure and duties!
Governance is often viewed as a compliance task. Likewise, Board members often feel that they have
more to offer – both individually and as a group - than the social enterprise is currently utilizing.
The time and effort spent by Boards to create and maintain the right governance mechanisms for
their social enterprise can save valuable time in building and scaling their organisation. It can also
ensure that the organisation does not make costly mistakes given the regulatory, legal and financial
environments in which it operates.
Governance should be viewed as a journey and something that is never truly completed.
Governance should be dynamic and adapt to the changing needs of the Board, the operating and
regulatory environment, and the larger goals and vision of the social enterprise over its lifespan.
Governance is fundamentally about people and the way they perform their respective roles and
responsibilities in order to achieve the outcomes of the organisation.
These Guiding Principles outline 7 key principles that are essential for effective governance, these
are:
1. Leadership
59 | P a g e
Risks and Ethics Learner Guide
Each principle is explored individually and contains good practice guidelines. An organisational
health check has also been prepared that breaks down good practice into measurable actions.
Yet, by and large, people in business, as in life, are risk averse, seeking, where possible, to follow the path
which provides the lowest perceived risk.
That is not to say that business leaders should behave recklessly, taking unnecessary risks with little regard to
the consequences – rather, they should take managed risks and it is the job of the board to ensure that the
risks are managed robustly and rigorously.
Businesses need to identify the risks that they face, think of ways in which they might reduce the impact of
each risk on the operation of the business and prioritise their focus onto the risks with the highest likelihood of
occurrence and the greatest impact to the business.
In so doing, it is useful to group the risks into categories. The following is a list of frequently used categories of
risk:
Strategic
Operational
Financial
People
Regulatory
Governance
Reputational
Strategic Risks are the overarching risks the business takes when it sets or modifies the direction of travel of
the business. These risks can be external, when the business is affected by changes in the environment in
60 | P a g e
Risks and Ethics Learner Guide
which it operates or internal risks arising from the adoption of an inappropriate strategy or the setting of
unrealistic objectives.
Operational Risks arise from the delivery of the goods or services which the business undertakes.
Financial Risks are to do with the management and flow of the business finances
People Risks are associated with both the employment of staff and, for a charity, the involvement of
volunteers.
Regulatory Risks are concerned with the legislative framework within which the business operates.
Governance Risks are to do with the way the business is organized and run.
Reputational Risks are any aspects of the activities of the business which would affect its reputation
A good place to start with identifying risks is the Business Plan or overall strategy document for the
business.
A useful tool to help to identify risks is an analysis of the strengths and weaknesses of the business and the
opportunities available to it and any potential threats to its success.
This analysis can be done at a strategic or operational level within the business to produce a number of items
within each quadrant. Sometimes items will appear in more than one quadrant, as a strength can also be a
weakness, for example, the involvement of a large number of staff in running a social enterprise is a strength
as they are more likely to be engaged with the business, but it can also mean that the decision-making process
is longer and less effective than an organisation with a leaner management structure, so it may also be seen as
a weakness.
Although when people think of risks they usually focus on the negative aspects – what can go wrong, it is also
useful to think of the ‘positive’ risks presented by opportunities.
Once risks have been identified they can be entered into the risk register so that they can be prioritised and
managed.
The risk register is a list of the identified risks faced by the association prioritised in order of likelihood and
impact.
It is a tool to enable the board to satisfy itself that the business’s risks are being managed effectively and
should be viewed on an exception basis, for example always reviewing the top five risks plus those risks which
have either increased or decreased in likelihood or impact since the previous review.
Each operating unit or department of the business will also have its own risk register which will feed in to the
overall risk register for the company.
The format of a typical risk register is likely to consist of a table with the following headings:
Risk Category
Risk Description
Risk Mitigation
Likelihood
Impact
Ranking
Comments
61 | P a g e
Risks and Ethics Learner Guide
Governance is the set of processes and abilities needed to achieve the objectives and fulfil the
responsibilities of whatever business or organisation, whether public, for profit or not for-profit, in
the healthcare sector or in another field of economic activity.
Asset misappropriation fraud happens when people who are entrusted to manage the assets of an
organization steal from it.
Asset misappropriation fraud involves third parties or employees in an organization who abuse their
position to steal from it through fraudulent activity. It can also be known as insider fraud.
This type of fraud can be committed by company directors, or its employees, or anyone else
entrusted to hold and manage the assets and interests of an organization.
Typically, the assets stolen are cash or cash equivalents, such as credit notes or vouchers. However,
the fraud can extend to include company data or intellectual property.
At one end of the scale, asset misappropriation fraud may be limited to isolated cases of expense
fiddling or an employee lying about his or her qualifications to get a job.
At the other end, it might involve organized crime groups infiltrating organizations to take advantage
of weak processes and inadequate internal systems and controls.
The definition of asset misappropriation fraud doesn’t include straight theft from an organization by
insiders, such as stealing stationery or other physical assets.
62 | P a g e
Risks and Ethics Learner Guide
If they’re not tackled, opportunistic one-off frauds can become systemic and spread throughout an
organization, creating a culture of theft and fraud. When this happens, fraudsters think their actions
are acceptable and fail to make the distinction between company funds and their own funds.
Apart from the direct impact of lost funds, asset misappropriation fraud can also impact on an
organization’s staff morale and reputation.
63 | P a g e
Risks and Ethics Learner Guide
Your organization also has a responsibility to protect other employers. Simply dismissing a fraudster
enables him or her to move to another employer where he or she will most likely continue their
fraudulent behavior. Consider taking part in a fraud data sharing scheme, or decide to prosecute the
fraudster when the fraud is discovered.
Financial Misstatement
A misstatement is the difference between the required amount, classification, presentation, or
disclosure of a financial statement line item and what is actually reported in order to achieve a fair
presentation, as per the applicable accounting framework. A misstatement could have been caused
by an error in recording a transaction, or fraudulent activity. It is considered to be material when the
user of a set of financial statements alters his economic decisions because of the misstatement.
Auditors assess the level of material misstatement when developing an audit plan for a client.
When a claim is brought that a business has issued fraudulent financial statements, a common
defense is for the organization to claim that a misstatement occurred, which by definition is non-
intentional and therefore nonfraudulent.
64 | P a g e
Risks and Ethics Learner Guide
Computer Crime
Computer crime is an act performed by a knowledgeable computer user, sometimes referred to as a
hacker that illegally browses or steals a company's or individual's private information. In some cases,
this person or group of individuals may be malicious and destroy or otherwise corrupt the computer
or data files.
In most cases, someone commits a computer crime to obtain goods or money. Greed and
desperation are powerful motivators for some people to try stealing by way of computer crimes.
Some people may also commit a computer crime because they are pressured, or forced, to do so by
another person.
Some people also commit a computer crime to prove they can do it. A person who can successfully
execute a computer crime may find great personal satisfaction in doing so. These types of people,
sometimes called black hat hackers, like to create chaos, wreak havoc on other people and
companies.
Another reason computer crimes are sometimes committed is because people are bored. They want
something to do and don't care if they commit a crime.
65 | P a g e
Risks and Ethics Learner Guide
inventory control system. By keeping an accurate inventory count, an organization can identify irregular
purchases as well as any item being used at an unusually high rate. An organization can then conduct a review
to see if this unusual activity is an indication of deeper issues.
Send your payables and receivables to a P.O. Box, not your office.
Open and read your mail.
Know how much money is coming in and going out, then bring it to your bookkeeper.
If you can, segregate the duties. Have your receptionist or office manager open, list and log all checks received
in the mail. Then review reconciled bank statements and compare the check log to the deposit slips.
Sign your own checks. Avoid stamp signatures whenever possible.
6. Review your company’s financials.
Fully review your company’s financial statements. Read beyond the first page of the Profit and Loss Statements
—review every item on every page. A fraudulent employee will try to hide the fraud loss in detail level pages; if
you don’t examine your company’s statements thoroughly, these red flags will be impossible to find.
If you don’t understand something on your P&L, ask questions until you do. It can help to rename things you
don’t understand so that they make sense to you.
Know what each line item on your financial statement is. It’s your company—it is vital that you understand
how every piece is put together.
Each employee should have their own password and user ID to sign into their computer. Also, implement an
automatic sign off when the computer is not being used.
Keep passwords secret, not posted on the computer via a sticky note. Make sure sensitive company, employee
and customer information doesn’t make its way into the wrong hands.
Check stock and company credit cards are stored in a locked drawer.
Use dual authorization methods are for electronic bank transfers.
Make sure accounting and computer software has user restrictions set up to limit access to individuals.
66 | P a g e
Risks and Ethics Learner Guide
When internal controls are established and everyone knows their work will be double-checked, the
opportunity for fraud is greatly reduced. The bottom line: using checks and balances makes trusting your
employees easier.
67 | P a g e
Risks and Ethics Learner Guide
9. The co-ordination of risk and ethics risk management processes allows for the effective use of
organisational resources and governance processes.
10. Ethics risk management is a continuous process that supports the organisation's risk
management, and thus guides strategy implementation in organisations.
Assessment
1. The organisation should ensure that it has the capacity and competence to identify and manage
it ethics risks and opportunities.
2. The ethics risk assessment process should take account of the views of all stakeholders involved
in the activity being assessed.
3. An ethics risk assessment process should ensure that all significant risks are identified timeously,
and that root causes are comprehensively described and analysed.
4. The ethics risk assessment should be expressed in terms of an ethics risk rating, to ensure that
the subsequent actions of determining risk impact and likelihood can be conducted.
5. The ethics risk assessment should reflect the effectiveness of current controls, and provide
sufficient information to assist in improving controls to eliminate or reduce risks to an
acceptable level.
Reporting
1. The organisation should disclose to its stakeholders how it manages its ethics risks and
opportunities.
2. Ethics risk reports need to be accurate and timely.
3. Ethics risk reports need to be sufficiently comprehensive to enable those involved in risk
mitigation to make informed decisions – all material and emerging risks need to be included, as
well as information relating to risk exposure.
4. Ethics risk reports need to be clear and useful, so as to address the needs of the recipients of
the reports.
5. Ethics risk reporting should be done frequently, as determined by the governing body, and will
vary according to the type of risk, the purpose of the report, and the needs of the recipients.
6. Ethics risk reports should be distributed to all relevant stakeholders, bearing in mind that
confidentiality needs to be maintained.
68 | P a g e
Risks and Ethics Learner Guide
REFERENCES
https://www.bbc.co.uk/ethics/introduction/intro_1.shtml
https://courses.lumenlearning.com/boundless-management/chapter/ethics-an-overview/
https://www.encyclopedia.com/science/encyclopedias-almanacs-transcripts-and-maps/risk-
ethics
https://www.360factors.com/blog/five-steps-of-risk-management-process/
https://www.governanceinstitute.com.au/resources/what-is-governance/
https://www.governancetoday.com/GT/Material/
Governance__what_is_it_and_why_is_it_important_.aspx
https://www.investopedia.com/terms/f/fraud.asp
https://www.acfe.com/fraud-101.aspx
https://www.boardeffect.com/blog/what-governance-management-important/
https://www.riskassessor.net/news/detail/five-steps-to-risk-assessment
https://www.investopedia.com/articles/professionals/021915/risk-management-framework-
rmf-overview.asp
https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-
engineering/risk-management/risk-identification
https://www.wallstreetmojo.com/risk-rating/
http://jukebox.esc13.net/untdeveloper/RM/RM_Module_16/RM_Module_165.html
https://www.bnymellon.com/us/en/investor-relations/corporate-governance/risk-
committee.html
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/governance-risk-
compliance/
ZA_SocialAndEthicsCommitteeAndTheManagementOfTheEthicsPerformance_24032014.pdf
https://www.governanceprinciples.scot/governance-guiding-principles
https://excellencia.co.uk/strategic-risk-governance-an-introduction/
https://healthmanagement.org/c/it/issuearticle/ethical-governance
https://cio-wiki.org/wiki/Risk_Governance
https://www.accountingtools.com/articles/2018/3/9/misstatement
https://www.computerhope.com/jargon/c/compcrim.htm
https://www.eidebailly.com/insights/articles/legacy/how-to-reduce-your-fraud-risk
69 | P a g e
Risks and Ethics Learner Guide
70 | P a g e