Risks and Ethics

Risks and Ethics Learner Guide
TABLE OF CONTENTS
ICEBREAKER: FRIENDS INDEED...................................................................................................................... 4
TRAINING MANUAL SAMPLE......................................................................................................................... 4
ACTIVITIES............................................................................................................................................................5
Sample Worksheet: Hazards........................................................................................................................5
Quick Reference Sheets...............................................................................................................................6
Certificate of Completion.............................................................................................................................7
MODULE ONE: IDENTIFYING HAZARDS AND RISKS MANAGEMENT................................................................8
WHAT IS A HAZARD?.............................................................................................................................................8
What Is a Risk?.............................................................................................................................................8
Consult with Employees...............................................................................................................................9
Likelihood Scale...........................................................................................................................................9
DEFINE RISK MANAGEMENT...................................................................................................................................10
The upside of risk-opportunity management............................................................................................10
The importance and benefits of risk management...................................................................................10
Benefits of risk management.....................................................................................................................11
Risk management framework and standards...........................................................................................12
Risk management roles and responsibilities.............................................................................................12
Risk appetite and risk tolerance................................................................................................................13
Risk appetite..............................................................................................................................................13
Risk management in support of organisational strategy.........................................................................13
Risk detection and assessment..................................................................................................................15
Risk identification is a structured process that.......................................................................................................15
Risk analysis needs to be applied after risk identification......................................................................................15
Risk evaluation is the final step in the risk assessment process..............................................................................16
Ethics risk as an organizations of organisational risk...............................................................................17
CASE STUDY....................................................................................................................................................... 17
MODULE TWO: ETHIC RISK.......................................................................................................................... 18
DEFINE ETHICS............................................................................................................................................ 18
ETHICS MANAGEMENT, MITIGATION & CULTURE........................................................................................................19

UNDERSTANDING ETHICS RISK.................................................................................................................................20
ETHICS RISK ASSESSMENT: APPROACH AND PROCESS...................................................................................................21
Overview....................................................................................................................................................21
The risk assessment process......................................................................................................................22
Frequency, scope, and depth of an ethics risk assessment......................................................................................23
Representatively of data Quantitative: Good Qualitative: Good..............................................................................24
Assessment of ethical conduct risk:..........................................................................................................................25
Risk rating...........................................................................................................................................................27
Strategy.................................................................................................................................................................... 27
Codes and policies....................................................................................................................................................27
Institutionalizing ethics............................................................................................................................................28
Monitoring and reporting.........................................................................................................................................29
THE ETHICS OF ETHICS RISK ASSESSMENT..................................................................................................................29
Content...................................................................................................................................................... 29
Objectivity..................................................................................................................................................30
Informed consent.......................................................................................................................................30
Anonymity..................................................................................................................................................30
2|P a g e
Confidentiality........................................................................................................................................... 31
ETHICS AND DECISION-MAKING..............................................................................................................................31
Ethical decision-making framework..........................................................................................................31
ETHICS OF GOVERNANCE.......................................................................................................................................33
ETHICS POLICY.....................................................................................................................................................33
RISK MANAGEMENT PROCESS................................................................................................................................33
Ergonomics risk management process......................................................................................................36
The Ethics Institute (TEI)............................................................................................................................37
Business process selection.........................................................................................................................37
Risk analysis...............................................................................................................................................38
ETHICS AND DECISION-MAKING..............................................................................................................................40
THE RISK ASSESSMENT PROCESS..............................................................................................................................40
FREQUENCY, SCOPE, AND DEPTH OF ETHICS AND RISK ASSESSMENT RISK RATING (MITIGATION PROCESS)..............................42
AN ETHICS MANAGEMENT RESPONSE TO RISK IDENTIFICATION AND RISK RATING...............................................................43
THE ETHICS OF ETHICS RISK ASSESSMENT..................................................................................................................45
HANDOUT SAMPLE AT THE END OF THE LEARNING: WORKSHEET FOR ETHICAL DELIBERATION.............................................46
MODULE THREE: GOVERNANCE INTERFACE................................................................................................. 49
THE STRATEGIC GOVERNANCE OF RISK......................................................................................................................49

Principle 1: The governing body should be responsible for the governance of risk..................................49
Principle 2: The governing body should determine the levels of risk tolerance/appetite........................49
Principle 3: The risk committee or audit committee should assist the governing body in carrying out its
risk responsibilities....................................................................................................................................49
GOVERNANCE OVERSIGHT OF ETHICS MANAGEMENT...................................................................................................51
Risk committee..........................................................................................................................................52
Social and ethics committee......................................................................................................................55
A REPORTING STRUCTURE FOR THE GOVERNANCE OF ETHICS RISK..................................................................................55
DEFINE GOVERNANCE AND FRAUD..........................................................................................................................57
UNDERSTANDING GOVERNANCE PRINCIPLES.............................................................................................................59
THE STRATEGIC GOVERNANCE OF RISK......................................................................................................................60
GOVERNANCE OVERSIGHT OF ETHICS MANAGEMENT...................................................................................................62
A REPORTING STRUCTURE FOR THE GOVERNANCE OF ETHICS RISK..................................................................................62
ASSET MISAPPROPRIATION, FINANCIAL MISSTATEMENT, COMPUTER CRIME...................................................................62
Asset Misappropriation.............................................................................................................................62
Are you a victim of asset misappropriation fraud?...................................................................................................63
What should you do about asset misappropriation fraud?......................................................................................63
Protect yourself against asset misappropriation fraud.............................................................................................63
Financial Misstatement.............................................................................................................................64
Computer Crime.........................................................................................................................................65
REDUCING FRAUD RISK.........................................................................................................................................65
MODULE FOUR: KEY SUCCESS FACTORS....................................................................................................... 67
CONTEXT AND PLANNING......................................................................................................................................67

ASSESSMENT.......................................................................................................................................................68
REFERENCES............................................................................................................................................... 69
3|P a g e
Icebreaker: Friends Indeed

Purpose
Have the participants moving around and help to make introductions to each other.
Materials Required
• Name card for each person
• Markers
Preparation
Have participants fill out their name card. Then, ask participants to stand in a circle, shoulder to
shoulder. They should place their name card at their feet. Then they can take a step back. You as
the facilitator should take the place in the centre of the circle.
Activity
Explain that there is one less place than people in the group, as you are in the middle and will be
participating. You will call out a statement that applies to you, and anyone to whom that
statement applies must find another place in the circle.
Examples:
• Friends who have cats at home
• Friends who are wearing blue
• Friends who don’t like ice cream
The odd person out must stand in the centre and make a statement.
The rules:
• You cannot move immediately to your left or right, or back to your place.
• Let’s be adults: no kicking, punching, body-checking, etc.
Play a few rounds until everyone has had a chance to move around.
Training Manual Sample

On the following pages is a sample module from our Risk and Ethics Training Manual for the one-
day workshop.
We have outlined the entire main suggested headings and extract (develop) a few key points for this
presentation.
It is in the same format and contains the same material as the Facilitator Guide, with the difference
that the Facilitator Guide will have practical activates guidance for each new section where possible
to lead the group.
The Training Manual can be easily updated, edited, or customized to add your business name and
company logo or any content suggestion changes required from your side.
4|P a g e
Activities
The methodology will be to provide each participant with a copy of the material where they can
follow along with the facilitator whiles having a highly interactive, case studies, section debrief
questions for group discussion (to link to work environment), role play or interactive game (to learn
from each other real experience) and make their own notes during the debrief time allocated to
keep a reference for workplace transferring of skills attained during the workshop.
During the facilitation of a lesson Worksheet or Handout may be utilized to help present the
material. If a lesson calls for a Worksheet or Handout, it will be listed in the Lesson Plan box under
Materials Required. The trainer can then utilize the Activities folder for the corresponding material
and then provide it to the participants. They are all on separate Word documents and are easily
edited and customized.
Below you will see the Worksheets or Handouts that are utilized during the training of the above
lesson. They are in the Activities folder and can be easily printed and edited for the participants.
Sample Worksheet: Hazards

Think of different hazards in your workplace. List them in the space below.
5|P a g e
Quick Reference Sheets

Below is an example of our Quick reference Sheets. They are used to provide the participants with a
quick way to reference the material after the course has been completed. They can be customized
by the facilitator to provide the material deemed the most important. They are a way the
participants can look back and reference the material later. They are also very useful as a take-away
from the workshop when branded. When a participant leaves with a Quick Reference Sheet it
provides a great way to promote future business.
Risk Assessment and Management

Walk Around
Identifying potential problems requires close inspection of the work area. To do this, you need to look at the
environment carefully. Inspect each area of the facility for hidden risks and hazards that can cause problems. This
requires walking around the entire facility and making note of everything. It is essential to consider every possible use
of an area, all materials used, and each tool.
Things to Consider When Walking:

• How tools are used
• Different methods used to complete tasks
• Purpose of each tool
• Materials used
• External Events
No matter how prepared you are, problems are not always easy to predict. This is especially true of external events.
You have more control over internal events, but external events are more unpredictable. With external events, you
need to be prepared for every possible problem. These events are, basically, anything around the office that is not
internal.
Types of External Events:

• Suppliers: Suppliers bring external events with their own risks
• Customers: Customers bring external events with their own risks
• Visitors: Visitors bring external events with their own risks
• Traffic: Traffic affects schedules and the ability to make deadlines
• Parking: Drivers and car maintenance affect parking
• Environment: Weather and other environmental factors are external events
Emergency Action Plan
Every office building requires an emergency action plan. Emergency action plans are implemented in case of an
emergency such as a fire or major machine malfunction. Emergency action plans need to be written and accessible to
employees. In small groups (under 10), the action plan may be communicated to employees verbally.
What to Include in an Emergency Action Plan?

• Procedures to report emergency
• Evacuation procedures
• Critical employee procedures
• Accounting for employees after evacuation
• Rescue and medical procedures
• Title of the employee who informs others of their duties in the plan
Each employee must be trained to evacuate and assist other employees. The employer must review the action plan
with employees when they are hired, when there are changes, when employee roles change.
6|P a g e
Certificate of Completion
Every course comes with a Certificate of Completion where the participants can be recognized for completing the course. It provides a record of their
attendance and to be recognized for their participation in the workshop.
Module One: Identifying Hazards and Risks Management
Every organization has both hazards and risks. Identifying

hazards and risks is necessary for risk management. Hazards
and risks are often confused with each other. Determining the
difference between a hazard and a risk will increase the
effectiveness of the risk management program.
What Is a Hazard?
A hazard is any source of harm. This includes adverse health
effects or loss to the organization or employee. Hazards are
varied. They include materials, substances, and sources of
energy, processes, practices, and conditions.
Examples of hazards:
• Sharp objects
• High temperatures
• Electricity
• Slippery surfaces
• Asbestos
• Chemicals
Once hazards are identified, you can take the opportunity to identify the risks associated with each
hazard in your facility.
What Is a Risk?
A risk is not a hazard. It is the chance of harm coming from a hazard. This
applies to the health, bodily safety, equipment, and property. For example,
prolonged exposure to chemicals in the work environment increases the risk
of health problems. Noise exposure can place an employee’s hearing at risk.
Identifying the hazards in an environment is the first step in risk assessment.
The second step is to determine who is at risk from these hazards. The third
step is to evaluate the risk, and the final step is to determine the best way to
control the risks and provide a safe working environment.
Consult with Employees
Risk management is necessary to protect the company and the employees.

Employees are the most valuable resource because risk management
directly affects them, and they have a unique understanding of day-to-day
operations. It is important to consult employees with any change in the way
work is done. When consulting with employees, it is imperative that you
communicate clearly and honestly. Provide ample time for the conversation
to take place. Finally, it is imperative that you pay attention to everything
employees have to say; do not simply pay attention to feedback that
supports your current ideas.
Examples of When to Consult Employees:

• Safety inspections
• Purchasing or repairing equipment
• Workflow charts
• Internal layout
• Cleaning chemicals
Likelihood Scale
The likelihood scale is used to determine the likelihood that an event will
occur. For example, you would use it to determine the risk of an equipment
malfunction. Each risk needs to be scored on the likelihood scale from 0 to 3.
• 0 – Impossible: There is no possible way that an event can take place. This is rarely used.
• 1 – Low possibility/Remote possibility: There is a slight risk, 2% or less, of something
happening.
• 2 – Medium possibility/Possible: The event is possible. It has between a 2 and 25% chance of
occurring.
• 3 – High possibility/ Probable: There is a greater than 25% chance that something is going to
happen. The event is likely going to occur soon.
Scores should be based on the current data that you have. The reasons for your score should also be
recorded.
9|P a g e
Example:
Risk Score Reasoning
Noise pollution is within safe

parameters. The office does not have
Hearing damage 1 loud consistent noises.
Caustic chemicals are used daily,

along with dangerous equipment.
Lab accident 3 There is the risk of human error.
Each company will have different risks and scores. Risks with higher scores need to be addressed
quickly.
Define risk management

This definition encompasses both the positive and negative consequences of risk, and
places it in the context of the organization’s objectives.
Risk management is the process of planning, organizing, directing, and controlling resources and
operations to achieve given objectives, despite the uncertainty of events. Effective risk
management enables an organization to manage the probability of any unforeseen events that may
arise, and to limit the effect of the consequences, along with responding proactively to
opportunities. This means the organization will be better able to carry out its plans – in other words,
achieve its organizational objectives – despite the uncertainty of events occurring in the
environment in which it functions.
The upside of risk-opportunity management

Opportunity management (also known as upside risk) is also an important component of
organisational planning and management systems. By focusing on the downside of risk, organisations
may overlook opportunities that provide significant possibilities for innovation and competitive
advantage. Missing opportunities may also significantly affect an organization’s overall ability to
deliver on its mandate, vision, and goals.
The concept of opportunity in the context of upside risk includes:

 the possibility that the future may be better than expected
 the possibility of a gain arising from a future event
 an uncertain event or condition that, if it occurs, will have a positive effect on the achievement
of objectives
 favorable circumstances for a positive outcome
The importance and benefits of risk management
Strategic planning is one of the most crucial means of ensuring that an organisation achieves its
vision, mission, and strategic goals. Strategic planning has been defined as “an organisational activity
that is used to set priorities, focus energy and resources, strengthen operations, ensuring that
10 | P a g e
employees work towards common goals and establishing agreement around outcomes”, which
suggests that organisations use this process to define their vision/mission, set strategic goals
(outcomes), identify strategies to achieve these, and develop tools to measure their achievements.
Internal and external risks may undermine the achievement of an organization’s strategic goals. By
the same token, upside risk may facilitate the achievement of strategic goals.
It has therefore become imperative that organisations adopt a formal risk management process,
whereby risks are pro-actively identified, captured in risk registers, and managed. Furthermore, risk
management and strategic planning need to be integrated into a single co-ordinate and holistic
process.
Risk – opportunity management is important in maximizing an organization’s ability to create and

protect value. Failing to manage risks may prevent the organisation from achieving its objectives,
and ultimately lead to the diminishing of share value, loss of competitive advantage, and even
closure. Failure to manage risks may also harm stakeholders such as the community in which the
organisation operates. Failing to manage opportunities may lead to an organisation becoming less
relevant to its stakeholders (including shareholders) or to the beneficiaries of its activities, such as
customers, constituents, or clients. This is particularly the case where there is competitive pressure
to deliver.
Tangible benefits of risk-opportunity management include projects and activities delivered on time
and on budget; not adversely affecting stakeholders (including the workforce, the environment and
society), such as through physical and environmental harm; and not exposing the organisation to
financial or other penalties.
Benefits of risk management

The ISO Standards and legislation Act highlight the following benefits of risk management:
1. Risk management creates and protects value. It contributes to the demonstrable achievement of
objectives and improvement of performance about, for example, health and safety, security,
legal and regulatory compliance, public acceptance, environmental protection, product quality,
project management, efficiency in operations, governance, and reputation.
2. Risk management forms an integral part of organizational processes and, if fully integrated,
enhances the strategic management process. It is not a stand-alone activity that can be
separated from the main activities and processes of an organization and should not be
managed within functional silos. Risk management is a management responsibility, and
forms an integral part of all organizational processes, including strategic planning and project-
and change management processes.
3. Risk management is part of decision-making. It assists decision-makers to make informed
choices, priorities actions, and distinguish between alternative courses of action.
4. Risk management addresses uncertainty. It explicitly takes account of uncertainty, the nature of
the uncertainty, and how it can be addressed. Even if certain events cannot be avoided, the
organization can achieve a degree of resilience through planning.
5. Risk management must be systematic, structured, and timely. It contributes to efficiency and to
consistent, comparable, and reliable results.
6. Risk management is based on the best available information. Since the inputs to the process of
11 | P a g e
managing risk are based on information sources, decision-makers are encouraged to familiarize
themselves with valuable information sources, as well as any limitations related to data.
7. Risk management is transparent and inclusive. It therefore encourages organizations to
identify internal and external stakeholders, and to consult stakeholders on key policies and
decisions that require buy-in and support.
8. Risk management is dynamic, iterative, and responsive to change. It continually senses and
responds to change and allows for more effective planning.
9. Risk management facilitates continual improvement of the organization. As organizations
implement strategies to improve their risk maturity, other aspects of the organization also
benefit.
10. Benefits in economy and efficiency can be achieved in the targeting of resources, protection of
assets, and avoidance of costly mistakes.
11. The organization’s reputation is enhanced, as clients are drawn to organizations that are known
to have sound risk management processes.
12. Effective risk management of personal risk (personal wellbeing) generally improves health and
wellbeing of self and others.
Risk management framework and standards

The risk management framework follows the shape of the plan, do, check, adjust model (also known
as the plan, do, check, act model), a four-step iterative process that can be applied to any number of
processes and systems, where:
• Plan: establish the risk management framework
• Do: implement and operate it
• Check: monitor and review its effectiveness
• Adjust (Act): maintain and continuously improve it
Risk management roles and responsibilities

The organisation should establish accountability, authority, and appropriate competence for
managing risk throughout the organisation. This includes designing, implementing, and maintaining
the risk management process, along with ensuring the adequacy, effectiveness, and efficiency of
controls. This can be facilitated by:
• identifying risk owners who have the accountability and authority to manage risks
• identifying those accountable for the development, implementation, and maintenance of the
framework for managing risk
12 | P a g e
• identifying those responsible for the risk management process at all levels in the organization
• establishing performance measurement metrics
• establishing external and/or internal reporting and escalation processes
The governing body should specify responsibilities across multiple 'lines of defence' as appropriate
to the organisation. These would generally include the executive leadership team, risk
practitioners (such as a chief/corporate risk officer), management, and the overall workforce.
Risk appetite and risk tolerance

Risk appetite
An organization’s risk appetite reflects the level of risk it is willing to accept in all spheres, to achieve
its stated objectives. It is an organization’s propensity for taking risks.
It is the responsibility of the governing body of the organisation to determine the various levels of
risk appetite. This body should consider the views and requirements of internal and external
stakeholders (e.g., shareholders, regulators, local communities, customers, the organization’s own
workforce, etc.).
The governing body is responsible for establishing the overall risk appetite of the organisation,
within the limits of legal and regulatory requirements. A business unit general manager may be
responsible for establishing the risk appetite of that unit, within the broader constraints imposed
by the overall organisation. Project managers may establish their own project risk appetite, within
the boundaries agreed upon by the project sponsors.
There should be a range of different appetites defined for different risk types – financial or non-
financial – for example, for risks related to the law, finance, operations, ethics, health and safety,
and other domains. Risk appetite is dynamic and fluctuates as various internal and external factors
change.
Risk tolerance
Risk tolerance reflects an organization’s ability, or readiness, to bear a risk after all responses have
been put in place. It is the level of unwanted outcomes that can continually be tolerated. Risk
tolerance may refer to financial (e.g., profit), quasi- financial (e.g., gearing), or non-financial (e.g.,
staff turnover) aspects of risk.
The organization’s risk tolerance, however, should always be higher than its appetite for risk. Where
the appetite exceeds the tolerance, this should be disclosed to the relevant stakeholders.
Public sector organisations should recognise that their risk tolerances should be defined
differently to those of private organisations, particularly as there are legislated service commitments
that must be maintained, irrespective of financial constraints.
Risk management in support of organisational strategy

The first step in risk management is defining the objectives (strategic goals) that the organization
wants to achieve, how it intends to achieve these (the operating model), and what might get in the
13 | P a g e
way of such achievement. In establishing the context, the organization could follow the process
below:
• Define an operating model, along with strategic and operational objectives.

• Define the external and internal factors that give rise to the risk that the organization might not
meet its objectives.
• Determine externally imposed risk parameters (e.g., regulatory, legal, social, contractual, etc.).
• Apply the risk management process to the organization and define internal parameters
(e.g., risk appetite, risk tolerance).
Strategic risk management helps an organization to consider the various uncertainties that affect its
strategy and the execution thereof, and then act on these. It should not only consider the stumbling-
blocks that may prevent the successful execution and implementation of the organization’s
strategies, but also the risks that the implementation of such strategies may bring.
While the assessment and evaluation of strategic risks lie within the standard risk management
processes, the framework should make specific note of when to apply these processes to strategic
risks. This is necessitated by the infrequent nature of strategic risk management, as well as its
importance in ensuring the relevance of the risk management system itself.
The executive leadership team should specify a regular interval at which strategic risks are to be
identified, assessed, and treated. This is often a yearlong cycle, depending on the nature and
complexity of the organization, and often starts and concludes during an annual strategy planning
session. It can be conducted more or less frequently, as needed by the organization.
Strategic risk management should consider the organization’s risk thresholds (risk appetite and risk
tolerance).
Functionaries responsible for this process should be cognizant of the financial and other reporting
deadlines to which the organization must adhere. Therefore, strategic risk management activities
should be added to the organization’s calendar, so that appropriate information can be obtained for
the executive to make an honest and effective appraisal of the organization’s risk profile.
14 | P a g e
Risk detection and assessment

Risk assessment
It is important to identify what could cause an organization to deviate from its objectives, to
determine how likely this is to occur, as well as what the consequences could be if it does. After this,
the organization needs to determine which risks need to be addressed first, which are less urgent,
and which risks do not necessarily warrant intervention. There are three basic approaches to risk
assessment:
• quantitative methods (e.g., the accumulation and development of relevant historical or
predictive datasets, quantitative surveys/questionnaires)
• qualitative methods (e.g., market research, qualitative surveys/questionnaires, risk workshops)
• a mixed-method approach, which is a combination of quantitative and qualitative methods
In many instances, it is appropriate to use more than one technique or methodology in the risk
assessment process. The depth of assessment depends entirely on the context and will be
determined by the specific risk(s) in question, the availability of reliable data, and the
organization’s decision-making criteria. In addition, some methods and the inclusion of certain
details are prescribed by legislation.
Not all assessments are conducted using purely quantitative, numerical methods. Qualitative and
semi-quantitative methodologies can also be used, in which case rating scales and significance levels
deliver results. For example, a risk can be assessed by combining its probability and consequences
according to established criteria, and categorizing it as a High, Medium, or Low. Alternatively, a
numerical rating scale can be used to estimate the level of risk according to some previously agreed
formulae or calculations.
Risk assessment consists of three steps:

1. Risk identification
2. Risk analysis (including consideration of the sources and causes of a specific risk
event occurring, consequences/impact of the r i s k event occurring, the likelihood
that the risk event will occur, and the impact thereof on t h e organization’s
objectives)
3. Risk evaluation
Risk identification is a structured process that

• identifies specific risks for which the organization should account
• identifies how the organization’s objectives could be affected by these risks
• analyses the risks in terms of their consequences and the probability of their occurrence
• describes the priority that should be assigned to each risk
Risk analysis needs to be applied after risk identification

Risk analysis involves developing an understanding of the risk. This entails consideration of
the causes and sources of the risk, potential positive and negative consequences, and the likelihood
of those consequences occurring. By first analyzing risks, the information necessary to undertake the
15 | P a g e
risk evaluation process is obtained. This step is important, as it allows the organization to priorities
its risks, followed by allocating resources appropriately.
It is important to understand that an event or situation can have multiple causes and consequences.
A single event or situation can also affect multiple objectives. In such cases, the risk can be
described using a range of probabilities across a range of circumstances.
The organization’s existing controls should be factored into the risk analysis process, as these will
affect the characteristics of the risk (such as its likelihood and consequences), as well as the extent
to which it has been, or could be mitigated.
In some circumstances the probability of a risk may be extremely low; this may skew the risk analysis
process such that a risk that can have a significant impact on business continuity is unintentionally
accepted. Alternatively, the consequence may be perceived as insignificant, but, in conjunction
with other events, could nevertheless lead to a catastrophic outcome (i.e. The combination of
risks exceeds the risk tolerance). Both situations require sound judgment and insightful appraisal
of the risk, acknowledgement of any personal or cultural bias towards risk, and a rigorous
application of minimum risk thresholds.
Regardless of the type of analysis (e.g., quantitative, or qualitative) undertaken, the calculated level
of risk remains an estimate, and is influenced by a range of factors. These may include human bias in
the evaluation of the risk, or in the design of the risk scoring criteria of automated systems. Sample
sizes are rarely exhaustive, and while relevant statistical techniques should be applied where
appropriate, comprehensive data cannot be guaranteed.
In addition, a level of accuracy and detail should not inadvertently be ascribed to the results.
Throughout the process, good sense and sound judgment must be applied to the models used, and a
rational decision must be made, based on the information available. Here, the insight and
experience of specialists play an important role in checking the outputs of any modeling process, to
make sure they make sense.
A typical risk analysis approach could consist of the following steps:

• assessing current controls
• analyzing consequences
• analyzing likelihood and estimating probability
• extrapolation from historical data
• probability modeling
• expert judgment
• compiling and populating the contents of the risk register
Risk evaluation is the final step in the risk assessment process

This involves comparing the risk against pre-determined criteria, thus specifying the significance of
the risk in terms of the organization’s objectives. All available information should be used in the
evaluation stage, including the relevant risk thresholds the organization has specified in terms of
16 | P a g e
legal, ethical, financial, or other constraints. The decision that should be taken at this point should
consider the following:
• the priority of a risk and, hence, the urgency with which it should be addressed
• any risks that can be accepted without further action, such as those with very low probability
and impact
• those risks that should be accepted only with the implementation of specific responses
• any immediate decisions that are required to avoid risks that breach specific thresholds
Ethics risk as an organizations of organisational risk

The Committee of Organizations of the ISO regulations and Legal legislations describes the role of
ethics in risk management as follows:
“An entity's strategy and objectives and the way they are implemented are based on
preferences, value judgments, and management styles. Management's integrity and commitment to
ethical values influence these preferences and judgments, which are translated into standards of
behavior. Because an entity’s good reputation is so valuable, the standards of behavior must go
beyond mere compliance with the law. Managers of well-run enterprises increasingly have accepted
the view that ethics pays, and that ethical behavior is good business.”
Risk management emphasizes the importance of ethics in enterprise governance, risk, and
compliance systems.
Ethics risk is an organization of risk in the same way that legal, operational, IT, finance, and HR risks
are. As the non-management of ethics risk could give rise to as many, if not more, reputational, and
financial costs for an organization as any other type of risk, it warrants equal attention. As such,
ethics risk is a component of the broader organizational risk framework. The risk management
processes of an organization are also highly dependent on the ethical culture of the organization to
enable effective risk management.
Case Study
Sean is an outside hire to his new management position. He understands that
risk management is important, and he takes the time to go over the incident
reports and inspect the facility. An employee tells him that one of the
machines needs to be replaced. He says that several employees have come
close to being injured while using it. He states the machine does not shut off
properly. Sean believes that asking for new equipment this soon is not wise.
17 | P a g e
He points out to the employee that there are no incident reports for the
specific piece of equipment. The employee responds that the employees
know to be extra careful on the machine, but it is just a matter of time before
someone is injured. Sean ignored the request, and the complaints from three
other employees. He did nothing about the equipment. Two months later, an
employee thought the machine was turned off and got her hand caught in it.
Module Two: Ethic Risk
Define Ethics
At its simplest, ethics is a system of moral principles. They affect how people make decisions and
lead their lives.
Ethics is concerned with what is good for individuals and society and is also described as moral
philosophy.
The term is derived from the Greek word ethos which can mean custom, habit, character, or
disposition.
Ethics covers the following dilemmas:

 how to live a good life
 our rights and responsibilities
 the language of right and wrong
 moral decisions - what is good and bad?
Our concepts of ethics have been derived from religions, philosophies, and cultures. They infuse
debates on topics like abortion, human rights, and professional conduct.
Approaches to ethics
Philosophers nowadays tend to divide ethical theories into three areas: metaethics, normative ethics
and applied ethics.
 Meta-ethics deals with the nature of moral judgement. It looks at the origins and meaning of
ethical principles.
 Normative ethics is concerned with the content of moral judgements and the criteria for what is
right or wrong.
 Applied ethics looks at controversial topics like war, animal rights and capital punishment
What use is ethics?

If ethical theories are to be useful in practice, they need to affect the way human beings behave.
Some philosophers think that ethics does do this. They argue that if a person realises that it would
be morally good to do something then it would be irrational for that person not to do it.
But human beings often behave irrationally - they follow their 'gut instinct' even when their head
suggests a different course of action.
18 | P a g e
However, ethics does provide good tools for thinking about moral issues.
Ethics can provide a moral map

Most moral issues get us pretty worked up - think of abortion and euthanasia for starters. Because
these are such emotional issues, we often let our hearts do the arguing while our brains just go with
the flow.
But there's another way of tackling these issues, and that's where philosophers can come in - they
offer us ethical rules and principles that enable us to take a cooler view of moral problems.
So, ethics provides us with a moral map, a framework that we can use to find our way through
difficult issues.
Ethics can pinpoint a disagreement
Using the framework of ethics, two people who are arguing a moral issue can often find that what
they disagree about is just one part of the issue, and that they broadly agree on everything else.
That can take a lot of heat out of the argument, and sometimes even hint at a way for them to
resolve their problem.
But sometimes ethics doesn't provide people with the sort of help that they really want.
Ethics doesn't give right answers

Ethics doesn't always show the right answer to moral problems.
Indeed, more and more people think that for many ethical issues there isn't a single right answer -
just a set of principles that can be applied to cases to give those involved some clear choices.
Some philosophers go further and say that all ethics can do is eliminate confusion and clarify the
issues. After that it's up to everyone to come to their own conclusions.
Ethics can give several answers

Many people want there to be a single right answer to ethical questions. They find moral ambiguity
hard to live with because they genuinely want to do the 'right' thing, and even if they can't work out
what that right thing is, they like the idea that 'somewhere' there is one right answer.
But often there isn't one right answer - there may be several right answers, or just some least worst
answers - and the individual must choose between them.
For others moral ambiguity is difficult because it forces them to take responsibility for their own
choices and actions, rather than falling back on convenient rules and customs.
Ethics management, mitigation & Culture

Culture describes a collective way of life, or way of doing things. It is the sum of attitudes, values,
goals, and practices shared by individuals in a group, organization, or society. Cultures vary over time
periods, between countries and geographic regions, and among groups and organizations. Culture
19 | P a g e
reflects the moral and ethical beliefs and standards that speak to how people should behave and
interact with others.
Cultural norms are the shared, sanctioned, and integrated systems of beliefs and practices that are
passed down through generations and characterize a cultural group. Norms cultivate reliable
guidelines for daily living and contribute to the health and well-being of a culture. They act as
prescriptions for correct and moral behaviour, lend meaning and coherence to life, and provide a
means of achieving a sense of integrity, safety, and belonging. These normative beliefs, together
with related cultural values and rituals, impose a sense of order and control on aspects of life that
might otherwise appear chaotic or unpredictable.
This is where culture intersects with ethics. Since interpretations of what is moral are influenced by
cultural norms, the possibility exists that what is ethical to one group will not be considered so by
someone living in a different culture. According to cultural relativists this means that there is no
singular truth on which to base ethical or moral behaviour for all time and geographic space, as our
interpretations of truths are influenced by our own culture. This approach contrasts with
universalism, which holds the position that moral values are the same for everyone. Cultural
relativists consider this to be an ethnocentric view, as the universal set of values proposed by
universalists are based on their set of values. Cultural relativism is also considered more tolerant
than universalism because, if there is no basis for making moral judgments between cultures, then
cultures have to be tolerant of each other.
Understanding ethics risk

Risk ethics is an emerging branch of philosophy that investigates the moral aspects of risk and
uncertainty. Although one originating motivation in the pursuit of science and technology was an
effort to reduce risk and uncertainty present in the natural world, it has been increasingly
appreciated that the scientific and technological world presents its own constructed risks.
Recognizing that one form of risk (natural) is overcome only at the cost of another form of risk
(involved with science or technology) has stimulated critical reflection on risk in ways that did not
occur in the absence of technological risk.
Risk has vernacular and technical meanings. In everyday language a risk is simply a danger. But in
relation to science and technology, risk is often defined as the probability of some harm. The
probability of a benefit is often called a chance. According to another common definition, risk is
identified with the value obtained by multiplying the probability of some harm or injury by its
magnitude. With any attempt to spell out the details of how this might be done, however, problems
arise since it is not clear that there is a single measure for all harms or injuries. Attempts have been
made to measure all health effects in terms of quality-adjusted life years (Nord 1999). Risk-benefit
analysis goes one step further and measures all harms in monetary terms (Viscusi 1992). However,
as several critics have pointed out, such unified approaches depend on controversial value
assumptions and may be difficult to defend from an
ethical point of view (Shrader-Frechette 1992).
Independent of methodological issues, however, are the

assumptions of traditional moral philosophy, which has
20 | P a g e
focused on situations in which the morally relevant properties of human actions are both well-
determined and knowable. In contrast, moral problems in real life often involve risk and uncertainty.
According to common moral intuitions it is unacceptable to drive a vehicle in such a way that the
probability is 1 in 10 that one runs over a pedestrian, but acceptable if this probability is 1 in 1
billion. (Otherwise, one could not drive at all.) It is far from clear how standard moral theories can
account for the difference and explain where the line should be drawn.
Ethics risk assessment: approach and process

Overview
Ethics risk assessment is a planned and structured assessment process that is applied by obtaining
stakeholders' perspectives at regular intervals, with a view to helping the organization compile its
ethics opportunity-risk profile.
The impetus for an organization to conduct an ethics opportunity-risk assessment could have
multiple origins, such as legislation, compliance requirements, corporate governance guidelines,
integrated sustainability reporting requirements, stock exchange regulations, business scandals,
pressure from internal or external stakeholders, and monetary losses (e.g., through fraud, theft of
organizational property, fines for price collusion, etc.).
The purpose of an ethics risk assessment is to identify the beliefs, practices, and behaviors (conduct)
that are either (a) counterproductive to the maintenance of the ethical principles and standards that
regulate desirable relationships among organizational stakeholders, or (b) enablers of such ethical
principles and standards.
When conducting an ethics opportunity-risk assessment, an organization has to engage with its
internal and external stakeholders, to determine (a) stakeholders' perceptions of the organization’s
ethics and (b) what they expect of the organization regarding ethics.
An ethics risk assessment is neither a forensic investigation, nor an ethics audit. It is also not an
opportunity to identify transgressors and engage in a witch-hunt to oust them. It is a research
intervention to ascertain the ethics perceptions and expectations that stakeholders of the
organization hold.
An ethics risk assessment provides an organization with a broad frame of reference within which an
effective ethics management strategy can be formulated. The ethics risk assessment produces a
take on the state of the organization’s ethics; as such, it will provide a general indication if there is a
risk of unethical behavior in the organization. The ethics risk assessment also culminates in an ethics
risk profile, which translates into identification of specific ethics risks, the extent of the prevalence of
the perceived ethics risks, and the ethics risks’ ratings (high, moderate, or low).
An ethics risk assessment only addresses the first step of the risk assessment process of risk
management; that is, the risk identification process (type of ethics risk), the extent (ethics risk
prevalence) to which it is perceived to occur, and the risk rating. As such, it considers neither the
consequences nor impact of risk events occurring, nor the likelihood that the risk event will occur
and the impact it may have on the organization’s objectives. Once the ethics risk assessment has
21 | P a g e
been completed, the ethics office will further analyze and evaluate the ethics risks in conjunction
with the organization’s risk management function. Current control mechanisms to deal with ethics
risks will be factored into this process, as well as further control mechanisms required to ensure
proper ethics risk mitigation. The process culminates in an ethics risk register, which forms an
important part of the organization’s overall risk register.
Next section of this handbook will provide more clarity on the nature and mitigation of ethics risk
identified during an ethics risk assessment and the responsibilities of the respective organizational
role players (ethics practitioners and risk practitioners).
The risk assessment process

The consecutive steps in the process by which ethics opportunities and risks are assessed are shown
in the figure below.
As can be seen from the figure, an impetus has to be provided for the ethics risk assessment to be
commissioned. This impetus is provided either by a triggering event, at the one extreme (e.g., a
corporate scandal - reactive), or an organizational context that is pro-active and seamlessly
integrated with the organization’s strategic and sustainability objectives. The instruction to execute
an organizational ethics risk assessment usually emanates from the governing body or the
committee responsible for ethics governance.
22 | P a g e
The ethics office then proceeds to formulate the ethics risk assessment intervention - this includes
the planning of the process and acquisition of the required financial, human, and other resources.
An appropriate risk assessment methodology is selected (qualitative, quantitative, or a combination
thereof), according to which will yield the most valid and reliable results.
The intended scope and depth of the assessment then informs the identification and prioritization of
stakeholders (e.g., internal and/or external) to be polled in the assessment intervention. The chosen
methodology is then applied, and data obtained. Once all the data has been gathered, it is subjected
to scientific qualitative and/or quantitative data analyses by expert qualitative and/or quantitative
data analysts (the latter being statisticians).
All the data obtained is then integrated in a form that meets the expectations of the intended initial
target audience (e.g., ethics governance committee). The integrated data is then included in a
comprehensive written report, i.e., the organization’s ethics opportunity-risk profile. The profile is
then presented to the source of instruction in written and verbal format.
The duration of an ethics risk assessment could vary from one week for a smaller organization or one
that opted for a dipstick analysis, to several months for a larger organization or one that opted for a
comprehensive assessment. The process is repeated at regular intervals, e.g., a three-year cycle.
Continuous monitoring of the ethics risks is imperative - this happens through collaboration with the
risk function and is guided by the organization’s ethics risk register. Unforeseen incidental risks need
to be dealt with in an ad hoc manner as they arise.
Frequency, scope, and depth of an ethics risk assessment

An ethics risk assessment process differs from organization risk management, where risk is
continuously monitored and mitigated, in that it is a process that is applied at regular intervals.
Ethics risks assessments need to be conducted with some regularity, to ensure that new risks that
arise as the organization grows are identified and accounted for.
The factors that determine the frequency with which an organization should assess its ethics
opportunities and risk are organization size, number of employees, budget,
Ethics management skills levels within the organization, type of industry, reporting requirements,
and the desired scope and depth of assessment. Typically, a comprehensive and in-depth ethics risk
assessment is conducted every two to three years.
It should be borne in mind that, depending on the scope and depth of the assessment, e.g., whether
both internal and external stakeholders' perceptions and expectations are polled, a risk assessment
process, from the time of the request to the feedback of the results, could take between one and six
months to complete.
The following three broad approaches to determining an ethics risk assessment project's scope and
depth could be utilized:
23 | P a g e
1. 'Dipstick' assessment: a limited number of qualitative interviews (e.g., six, with key internal
stakeholders, including employees) and a quantitative survey Representatively of data
Quantitative: Good Qualitative: Poor
2. Selective assessment: approximately 15 qualitative interviews with key internal stakeholders and
a quantitative survey Representatively of data Quantitative: Good Qualitative: Acceptable
3. Comprehensive analysis:
 Approximately 40 qualitative interviews with key internal and external stakeholders
 A quantitative survey
 Document analyses benchmarking (comparing the organization’s opportunities and risks to
those of other, similar national or international organizations)
 The organization’s media exposure, i.e. The quantity and quality of media coverage
afforded to the organization in the recent past, where these reports could either have
enhanced or undermined the organization’s ethics reputation
Representatively of data Quantitative: Good Qualitative: Good

Similar to the methodology employed to assess organizational risk, the following generic ethics risk
identification methods could be utilized during an ethics opportunity-risk assessment:
 Qualitative:
o interviews (one-on-one or group interviews/focus groups)
o Document analyses (current policies, meetings' agendas, findings of investigations and
disciplinary hearings)
o benchmarking (to identify industry- or international best practice)
o Analyses of the organization’s media exposure
 Quantitative:
o Questionnaires (surveys)
o Financial data
The most comprehensive results are obtained when using a combined approach of quantitative and
qualitative measures. The popular approach is to first conduct a qualitative assessment. The data
yielded by qualitative methods is analyzed through the application of content analysis
methodologies. The major and sub-themes that emerge from the data analyses inform the
identification of the types of ethics opportunities and risks that exist, or may occur in the
foreseeable future, that could enhance or undermine the ethics Organizations of the organization’s
reputation.
Three categories of ethics risk are usually assessed:

1. Conduct (behavior) risk – these are specific types of risk,
e.g., supplier relations, nepotism, fraud, bribery, theft,
misleading of customers, breaches of confidentiality, and
many more.
2. Ethical culture risk – typical risks in this category relate to
ethical accountability and responsibility, ethics awareness,
24 | P a g e
the willingness to talk about ethics and ethics challenges, leadership commitment to ethics, and
the ethical treatment of employees.
3. Ethics management risks – this category of ethics risk refers to the presence and perceived
success of ethics management structures, strategies, and interventions. Examples of related
themes include the existence and status of the organization’s code of ethics, the inclusion of
ethics in employee induction (on- boarding) interventions, ethics training conducted, conducting
integrity assessments of prospective employees, integrity assessment of potential employees,
the extent to which ethical behavior is appraised in performance management systems, and the
existence of ethics helpdesks and safe reporting facilities.
Assessment of ethical conduct risk:

Here, a major theme that often emerges is supplier relations. Sub-themes can then be identified,
such as the disrespectful treatment of suppliers, late payment of suppliers, irregular fraternizing by
employees with suppliers, accepting kickbacks from suppliers, and unfair favoring of certain
suppliers over others. At this point, the organization is only aware of the nature of the themes or
the types of themes and, at best, a rank orders of the themes according to importance.
What? They do not identify the How much? i.e., the prevalence or perceived frequency or intensity
of occurrence. It also does not yield information on the potential impact or likelihood of occurrence.
A quantitative assessment therefore needs to be applied after the qualitative assessment, where the
themes (ethical conduct risks) that emerged from the qualitative assessment inform the contents of
the items of a questionnaire or survey. The questionnaire is then used to assist the organization in
determining the extent to which the themes are perceived to occur or ay occur in future. A risk
rating exercise is then conducted, which will yield risk ratings of high, moderate, or low.
To further the example used above: supplier relations and its sub-themes as potential risks can now
be assessed in quantified terms. See the table below for an example.
To what extent do you agree that this occurs in Organisation

Conduct (behaviour risk) X?
Strongly Fully disagree I don't
Types of ethics challenges
agree know
6 Employees are rude to suppliers

1 2 3 4 5 6 DK
Employees engage in irregular
11 fraternizing with suppliers outside of
1 2 3 4 5 6 DK
business hours
Suppliers treat employees lavishly
18
during product promotion events 1 2 3 4 5 6 DK
Suppliers have to wait very long to
23
receive payment 1 2 3 4 5 6 DK
Accepting bribes/kickbacks from
28 contractors for awarding
suppliers/
1 2 3 4 5 6 DK
business
25 | P a g e
Certain suppliers are used, despite

39
poor products and slow delivery 1 2 3 4 5 6 DK
The process of awarding contracts to
43
suppliers is unfair 1 2 3 4 5 6 DK
The quantitative assessment may also be used to assess the extent to which the organization is
perceived to deal with these risks without delay, should they occur, e.g., the extent to which
unethical behavior (conduct), when it occurs, is encouraged, condoned, ignored (turning a blind
eye), discouraged but not dealt with, or discouraged and dealt with effectively. A further use of such
a quantitative assessment may be to assess whether the respondents to the survey are familiar with
policies that exist in the organization to deal with such behaviors
Should the ethics Organizations of the organizational culture be weak or underdeveloped, prevailing
beliefs, practices, and behaviors become an ethics risk. Ethical culture risks could therefore also be
addressed by means of the ethics risk survey. See the table below for an example.
I don't
Ethics management risk
Yes No know
1 I know who the organisation's ethics champion (or Ethics Officer) is

Yes No –
I don’t
2 The organisation has an ethics committee/task team
Yes No know
There is a facility in the company where I can get advice I don’t
3
(e.g., whether I can accept a gift from a supplier or not)
on ethics Yes No know
There is a facility in the company where I can safely I don’t
4
(Blow the whistle report
on) unethical behaviour Yes No know
I don’t
5 I feel equipped to deal with ethical issues
Yes No know
Ethics/integrity is an organization of my own I don’t
6
performance appraisal Yes No know
I don’t
7 There are ethics awareness campaigns in the company
Yes No know
I don’t
8 New employees receive ethics training
Yes No know
The value of qualitative data obtained through the qualitative Organizations of ethics risk
assessment interventions should never be negated, as the data reflects the true opinions that
respondents offer freely, as opposed to data obtained through surveys, where respondents provide
answers only within the parameters of what is offered to them.
Risk rating
Quantitative data is easily interpreted using a risk rating scale. As an example, the scale below
utilizes agreement scores (in terms of responses to ethics risk surveys) and could be used to present
the ethics opportunities and risks (threats) to which an organization may be exposed.
26 | P a g e
Risk category Low risk Moderate risk High risk

Agreement score 0 - 33 34 - 66 67 - 100
Low risk areas refer to issues (or behaviors) where respondents Disagree or strongly disagree that
these issues are prevalent in (or relevant to) the organization. Moderate risk areas refer to issues (or
behaviors) where respondents only slightly disagree or slightly agree that these issues are prevalent
in (or relevant to) the organization. High risk areas refer to issues (or behaviors) where respondents
Agree or strongly agree that these issues are prevalent in (or relevant to) the organization.
All moderate and high risks should be brought to the attention of the organization’s risk function,
who, in turn, could integrate these risks into the portfolio of organizational risks to be managed.
furthermore, an organization could, for example, identify its top 5 to 10 high risk areas, and label
these material ethics risks, or risks that could undermine the organization’s efforts to reach its
objectives through the implementation of organizational strategies. These material ethics risks will
also then resort within the ethics Organizations of the ethics committee's mandate. This process
will be clearly illustrated in the case study and ethics risk management toolbox, to be presented in
other section of the handbook.
Strategy
Once an organization has assessed its ethics opportunities and risks, it can proceed to meaningfully
utilize, in a structured way, the information obtained. As such, the type of ethics management
strategy required to capitalize on opportunities and mitigate negative risks could be informed by
the results of the risk assessment.
For example, should an organization decide on a compliance strategy to deal with the risk supplier
relations, it would translate this strategy into an ethics management plan designed to strictly
monitor and regulate relations with suppliers. On the other hand, an integrity- or values-based
strategy could focus on regular values-based discussions as a component of the organization’s more
encompassing stakeholder relations drive, rather than adopting many rules and policies and
following a punitive approach.
Codes and policies

The organization should then ensure that the ethics risks identified are sufficiently accounted for in
current codes of ethics and ethics-related policies. If not, the codes and policies need to be revised.
It may even be necessary to formulate new or additional policies.
It is also then required to link the codes and policies to the ethics management strategy that is
deemed appropriate for the organization now. For example, a compliance strategy would have at its
core a code of ethics with a strong directional/rules-based focus. Such a code will contain clear
guidelines on how suppliers should be treated, and how suppliers are expected to act in accordance
with organizational prescripts. Moreover, stringent procurement policies and processes that
provide specific guidance on how to manage supplier relations need to be formulated. At a micro
level, the finance function (creditors) would have very specific rules regarding when suppliers should
be paid, e.g., within 25 days of submitting an invoice. Some organizations have specific clauses
included in supplier contracts, according to which suppliers are expected to adhere to the
27 | P a g e
organization’s ethics requirements. A gift registry system must be implemented and closely
monitored, to prevent employees from accepting irregular or expensive gifts from suppliers.
Should an integrity- or values-based strategy be followed, the code of ethics would have an
inspirational character, whereby values-based guidelines on the treatment of business partners (e.g.,
suppliers) will be provided in broad terms. In this example, procurement policies that have room for
discretion would probably be formulated.
Institutionalizing ethics
The formulation of appropriate codes and policies to utilize ethics opportunities and mitigate
negative risks is followed by the institutionalization of ethics guidelines contained in codes and
policies. Specific ethics awareness programs and dedicated ethics training programs must be
designed and implemented for the organization’s employees, specifically those in the procurement
function, and for suppliers/contractors alike.
A critical consideration for ethics practitioners is that ethics must be strategically incorporated into
the existing business processes of the organization. It is thus imperative that the ethics office form
a partnership with the risk managers. Since risk managers are the custodians of all risks in an
organization, they enjoy the respect and co-operation of colleagues. They report to an oversight
structure (e.g., risk and/or audit committee(s) of the board). Therefore, an ethics risks register
should be compiled after an ethics opportunity-risk assessment has been conducted. This action
should be executed through a joint effort of the risk manager and the ethics officer. Through this
approach, the ethics risks will be incorporated into the organization-wide risk management
framework (managed by risk managers).
The risk manager will facilitate the identification of ethics risks, and then develop an ethics risk
register. The risk owners, typically line managers, will be
identified based on the issues that emanate from the
ethics risk assessment, and these will be communicated to
them. Action plans are then developed (largely ethics programs
that the risk owner will have to implement in conjunction with
the ethics officer), and timelines will be allocated. For example,
in the case of the supplier relations risk, the risk area gifts from
suppliers will be appropriated by the risk manager, while line
managers, particularly those in the procurement function, would become the risk owners.
Monitoring and reporting

The implementation of the ethics management strategy and ethics management plan should be
monitored. The ethics office would work closely with the organization’s internal audit function at
this juncture. Results of such monitoring actions, as well as the current state of ethics of the
organization, should be regularly reported to the management and governance structures that
oversee the organization’s ethics management.
Ethical culture risk Strongly Fully disagree I don't

As it relates to Organisation X … agree know
28 | P a g e
Employees know exactly what is

2 expected of them in terms of ethical 1 2 3 4 5 6 DK
behaviour
Employees are comfortable
7 approaching superiors with ethical
1 2 3 4 5 6 DK
matters/concerns
Business that violates principles of
9 honest and responsible conduct is
1 2 3 4 5 6 DK
turned away
Organisational leaders set a good
13 example of honest and responsible
1 2 3 4 5 6 DK
behaviour
Employees consider ethical
16 consequences when making
1 2 3 4 5 6 DK
decisions
Ethics policies and procedures are
22
applied consistently 1 2 3 4 5 6 DK
In terms of ethics management risk, a section that could be included in a quantitative ethics risk
assessment (survey) is provided in the table below.
The ethics of ethics risk assessment

Ethics risk assessment is, in essence, like many other research interventions in academia and
organizations. For this reason, an ethics risk assessment warrants the same rigorous research ethics
standards as would be applicable to any other research project. Moreover, any research intervention
with ethics as the central theme may be problematic, as the potential research subjects may feel
personally threatened or uncomfortable answering ethics-related questions.
The main premise upon which research ethics is based is to avoid harm to subjects. This is
irrespective of the research methodology adopted for the assessment process, i.e., qualitative
and/or quantitative. In the attempt to avoid harm, the following research ethics principles should be
accounted for during an ethics risk assessment process:
Content
Researchers and, in this case, ethics risk assessors have an ethical obligation to ensure that nothing,
but the organization’s ethics risk is measured. This will result in sound face validity (items/question
are perceived by subjects as assessing ethics risks, nothing else) and construct validity (ethics risk as
a construct is indeed measured). The questions posed to subjects during an ethics risk assessment
intervention, whether in interviews or as items in a quantitative survey, should also be non-invasive.
This implies that subjects should not be psychologically uncomfortable responding to questions, nor
be hesitant to expose 'their inner selves' during the assessment process. Questions should be
formulated in such a way that perceptions are assessed, not personal integrity or propensity for
ethical or unethical behavior. In both quantitative and qualitative ethics risk assessments, subjects
should all be asked the same questions, as this will ensure assessment reliability.
29 | P a g e
Objectivity
For an ethics risk assessment to be objective and to be perceived as objective by the organization
and its participating stakeholders, it is advisable to utilize an independent third-party organization
and its interviewers/facilitators as the assessing entity. Research subjects are less reluctant to share
sensitive information pertaining to ethics risks with an objective third party that has no vested
interest in the outcome of the risk assessment. Interviewers and facilitators should be properly
trained, to ensure a professional and objective assessment.
Informed consent
Research subjects, i.e., participants (the term that applies to qualitative assessment) and
respondents (applicable in quantitative assessment), should be informed of:
1. how they were selected to participate in the assessment (preferably through a random selection
by, e.g., employee number)
2. what the assessment will entail in terms of process and content
3. how the results will be used by the organization
4. the fact they will receive feedback once the results of the assessment have been shared with the
organization’s senior leadership
5. the voluntary nature of their participation
6. their right to withdraw from the assessment at any time, without consequences\
7. the source that they should contact should any item or procedure in the assessment process be
unclear
8. the fact that, by participating in the assessment process, they automatically give their informed
consent
It is crucial that subjects are informed by the chief executive officer about the imminence and nature
of the assessments well prior to commencement.
Anonymity
The cardinal rule is that subjects should never suspect that their identity could be revealed in any
way. Demographic information solicited in quantitative surveys should be limited to information
that will be essential to decision-makers involved in risk mitigation. Respondents should not be
required to surrender personal information such as names or employee numbers. Participants in
interviews should be well briefed on their ethical rights. In the case of group interviews, facilitators
should clearly communicate that the participants' identities are of no importance, but that obtaining
their perceptions of ethics opportunities and risks that occur in the organization is the true objective
of the assessment process. The use of attendance registers should be avoided. As an ethics risk
assessment is not a forensic investigation, participants should be discouraged from identifying ethics
transgressors, but should rather focus on the type and frequency of ethical transgressions.
Confidentiality
All information obtained, demographic or otherwise, should be always kept absolutely confidential.
Surveys should be hosted by external, independent data- hosting service providers, and should
preferably not be channeled via the organization’s IT function. Trends or patterns of behavior should
be reported in the risk profile documents and during feedback sessions, rather than who did what
when.
30 | P a g e
Ethics and Decision-Making

Ethical decision-making refers to the process of evaluating and choosing among alternatives in a
manner consistent with ethical principles. In making ethical decisions, it is necessary to perceive
and eliminate unethical options and select the best ethical alternative.
Ethical decision-making framework

The flowchart below outlines the steps in the ethical decision-making process. Each step is described
in further detail below.
Recognising that there is an ethical question:

• requires you to think about how you should act and what you should do in each situation
• could relate to a situation and/or a decision that you make, which could be potentially damaging
to a client or a stakeholder
• could involve a choice between a good and a bad outcome – e.g., a situation where Immigration
New Zealand would decline your client’s visa application because of certain information that the
client has disclosed to you, but of which Immigration New Zealand is unaware.
Understanding the facts of the situation:
• requires you to consider how you can learn more about the situation including making enquiries
and finding additional facts to ensure you have the best possible understanding of the situation.
Understanding the options available to you:

• requires you to identify and understand each option available to you
• requires you to consider any legislative requirements, professional standards (such as the Code),
immigration law and instructions, as these may influence your options.
Understanding the consequences of the options:

• requires you to work out how different parties will be affected by each option - these parties can
include the client, stakeholders within the New Zealand immigration system, your employer and
other advisers
• requires you to be aware that your overriding duty is always to act in the lawful and legitimate
interests of your client
31 | P a g e
• requires you to ask yourself some searching questions, for example:

o If I am going to act in a way that is averse to my client’s interests in any way, am I justified in
doing so?
o Which option will produce the best for my client even if it will upset another person or cause
me discomfort or loss?
o Will this require me to act in a way that will harm someone else or go against my personal
beliefs or ethics?
o Is there a way to act that will not damage my client’s interests but will reduce or prevent
harm to another person or institution?
o Is there a way to act that will not damage my client’s interests and will allow me to act in the
way I believe is consistent with the type of adviser that I want to be?
Testing the option, you plan to take:

• requires you to consider the possible effects of all the different options
• requires you to reflect on and thoroughly review the option that you plan to take – in doing so,
you should ask yourself the following questions:
o Am I feeling uncomfortable with what I am about to do?
o If so, why am I feeling uncomfortable about this option?
o Why am I making this decision?
o Would I be happy if this was done to me?
o Would I be happy explaining this to different parties within the New Zealand immigration
system and explaining why I did what I am planning to do?
Explaining the option, you have decided on to those affected and to other interested parties:
• requires you to act in a way that your client, or another party, may not like or may find difficult
to understand
• requires you to be able to justify your actions in a logical and straightforward manner - if you
cannot explain your actions, then it is more likely that you are acting based on your feelings or
prejudices
• will often require you to have kept excellent records that note the essentials of what the issue
was, what you did to resolve it, the options you considered and how you communicated your
decision to those affected.
Acting on the chosen option:

• requires you to consider how you will go about implementing your decision
• requires you to carry through with the action you decided to take.
Reflecting on the outcome:

• requires you to assess how your decision turned out and what you learnt from this specific
situation - to objectively evaluate what has happened and whether the option you took worked.
32 | P a g e
Ethics of Governance
Organizations Data is committed to ethical and lawful business conduct in all countries in which it
operates. We believe that an integrated approach to governance, ethics, risk, and compliance
strengthens our values and promotes our objectives as a responsible business.
Ethics policy
Organizations Data is committed to ethical and lawful business conduct in all countries in which it
operates. We believe that an integrated approach to governance, ethics, risk, and compliance
strengthens our values and promotes our objectives as a responsible business. All business dealings
are carried out with transparency and integrity. We encourage our employees to uphold our
principles, values, and ethics policy. We provide guidelines to explain what is expected of every
person who works for Organizations Data, irrespective of where we do business.
Organizations Data’s practice of responsible corporate behavior includes:
• compliance with all laws and regulations
• zero tolerance for corrupt or illegal practices
• an anti-bribery and corruption policy which states that bribes and
other illicit payments may not be paid or accepted
• a policy which specifies the giving and acceptance of business gifts
and hospitality
• maintaining the confidentiality of clients’ information and personal data
• not participating in any conduct that constitutes anti-competitive behavior
• not permitting directors or employees to engage in business on behalf of Organizations Data
with organizations in which they have a material interest, without full disclosure
Organizations Data’s Group Ethics and Compliance Committee reports to the Audit Committee on all
aspects of the Group’s compliance with relevant laws, regulations, external policies, as well as with
its own internal policies and procedures for ethical business practices. Our Compliance office
manages an ethics and compliance programme which provides guidance on business conduct and
ethics and conducts periodic compliance reviews.
Risk Management process

The risk management process is a framework for the actions that need to be taken. There are five
basic steps that are taken to manage risk; these steps are referred to as the risk management
process. It begins with identifying risks, goes on to analyse risks, then the risk is prioritized, a solution
is implemented, and finally, the risk is monitored. In manual systems, each step involves a lot of
documentation and administration.
Step 1: Identify the Risk

The first step is to identify the risks that the business is exposed to in its operating environment.
There are many different types of risks – legal risks, environmental risks, market risks, regulatory
risks, and much more. It is important to identify as many of these risk factors as possible. In a manual
environment, these risks are noted down manually. If the organization has a risk management
solution employed all this information is inserted directly into the system. The advantage of this
33 | P a g e
approach is that these risks are now visible to every stakeholder in the organization with access to
the system. Instead of this vital information being locked away in a report which must be requested
via email, anyone who wants to see which risks have been identified can access the information in
the risk management system.
Step 2: Analyse the Risk

Once a risk has been identified it needs to be analysed. The scope of the risk must be determined. It
is also important to understand the link between the risk and different factors within the
organization. To determine the severity and seriousness of the risk it is necessary to see how many
businesses functions the risk affects. There are risks that can bring the whole business to a standstill
if actualized, while there are risks that will only be minor inconveniences in the analysis. In a manual
risk management environment, this analysis must be done manually. When a risk management
solution is implemented one of the most important basic steps is to map risks to different
documents, policies, procedures, and business processes. This means that the system will already
have a mapped risk framework that will evaluate risks and let you know the far-reaching effects of
each risk.
Step 3: Evaluate or Rank the Risk

Risks need to be ranked and prioritized. Most risk management solutions have different categories
of risks, depending on the severity of the risk. A risk that may cause some inconvenience is rated
lowly; risks that can result in catastrophic loss are rated the highest. It is important to rank risks
because it allows the organization to gain a holistic view of the risk exposure of the whole
organization. The business may be vulnerable to several low-level risks, but it may not require upper
management intervention. On the other hand, just one of the highest-rated risks is enough to
require immediate intervention.
Step 4: Treat the Risk

Every risk needs to be eliminated or contained as much as possible. This is done by connecting with
the experts of the field to which the risk belongs. In a manual environment, this entails contacting
each stakeholder and then setting up meetings so everyone can talk and discuss the issues. The
problem is that the discussion is broken into many different email threads, across different
documents and spreadsheets, and many different phone calls. In a risk management solution, all the
relevant stakeholders can be sent notifications from within the system. The discussion regarding the
risk and its possible solution can take place from within the system. Upper management can also
keep a close eye on the solutions being suggested and the progress being made within the system.
Instead of everyone contacting each other to get updates, everyone can get updates directly from
within the risk management solution.
Step 5: Monitor and Review the Risk

Not all risks can be eliminated – some risks are always present. Market risks and environmental risks
are just two examples of risks that always need to be monitored. Under manual systems monitoring
happens through diligent employees. These professionals must make sure that they keep a close
watch on all risk factors. Under a digital environment, the risk management system monitors the
entire risk framework of the organization. If any factor or risk changes, it is immediately visible to
34 | P a g e
everyone. Computers are also much better at continuously monitoring risks than people. Monitoring
risks also allows your business to ensure continuity. We can tell you How you can create a risk
management plan to monitor and review the risk.
The Basics of The Risk Management Process Stay the Same

Even under a digital environment, the basics of the risk management process stay the same. What
changes is how efficiently these steps can be taken, and as it should be clear by now, there is simply
no competition between a manual risk management system and a digital one. There are also many
new risks that businesses are facing for the first time in 2019, and modern problems require modern
solutions.
Risk Management Evaluation

Any business that wants to maximize its risk management efficiency
needs to focus on risk management evaluations. These evaluations
and assessments help businesses truly understand their own
capabilities, strengths, and vulnerabilities. More evaluations result in
more insights about where the business needs to improve its risk
management framework. It can be difficult to carry out these evaluations manually, but risk
management solutions and technology can simplify the evaluation and assessment workflow. It is
important to do an evaluation before making any major changes to the risk management
framework.
Risk management is an important business practice that helps businesses identify, evaluate, track,
and improve the risk mitigation process in the business environment. Risk management is practiced
by the business of all sizes; small businesses do it informally, while enterprises codify it. Businesses
want to ensure stability as they grow. Managing the risks that are affecting the business is a critical
part of this stability. Not knowing about the risks that can affect the business can result in losses for
the organization.
Being unaware of a competitive risk can result in loss of market share, being unaware of financial risk
can result in financial losses, being aware of a safety risk can result in an accident, and so on.
Businesses have dedicated risk management resources; small businesses may have just one risk
manager or a small team while enterprises have a risk management department. People who work
in the risk management domain monitor the organization and its environment. They look at the
business processes being followed within the organization, and they look at the external factors
which can affect the organization one way or the other. A business that can predict a risk will always
be at an advantage. A business that can predict a financial risk will limit its investments and focus on
strengthening its finances.
A business that can assess the impact of a safety risk can devise a safe way to work which can be a
major competitive advantage. If we think of the business world as a racecourse then the risks are the
potholes which every business on the course must avoid if they want to win the race. Risk
management is the process of identifying all the potholes, assessing their depth to understand how
damaging they can be, and then preparing a strategy to avoid damages. A small pothole may simply
require the business to slow down while a major pothole will require the business to avoid it
35 | P a g e
completely. Knowing the severity of a risk and the probability of risk helps businesses allocate their
resources effectively. If businesses understand the risks that affect them then they will know which
risks need the most attention and resources and which ones the business can disregard. Risk
management allows businesses to act proactively in mitigating vulnerabilities before any major
damage is incurred. There are different types of risk management strategies and solutions for
different types of risks.
Ergonomics risk management process

The Draft Ergonomics Regulations was published by the Minister of Labor for public comment on 27
January 2016. Please refer to the previous Saiosh newsletter. Members are urged to study these
regulations and to submit comments before the closing date. These regulations could potentially
have a major impact on your business.
The draft regulations refer to "Ergonomics Risk Assessment", "Ergonomics Programme",

"Ergonomics Risk Factors" and "Competent Person" in relation to ergonomics. If these regulations
are promulgated unchanged then:
• All employers or self-employed persons which may expose any person to physical or cognitive
ergonomic risk factors will have to establish for all employees and mandatories an ergonomics
training programme.
• The training shall be provided by a person that is competent in ergonomic risk factors.
• All employers who may expose employees to ergonomic risk factors shall have an ergonomics
risk assessment performed by a competent person.
• Below is the Department of Labor’s Ergonomics Risk Management Process flow chart. By
implication (refer to the left table) the competent persons referred to in the draft regulations are
"Ergonomic Assessors", "Occupational Hygienists" and "Ergonomists".
36 | P a g e
The Ethics Institute (TEI)

The Ethics Institute (TEI) in partnership with the Institute of Business Ethics (IBE) in the United
Kingdom, launched its latest publication, entitled The Ethics and Compliance Handbook at its 7th
Annual Conference in May.
Business process selection

The Business Process Selection is the first step in the Risk Management Process and for this we
consider an extract from our definition – viz. The process of identifying risk
The Risk Universe has listed 65 business processes, but not all of these would necessarily be
applicable to your business, so you would need to select those that are applicable and consider only
those specifically for your business.
For example:
 If your business does not sell on credit, you could eliminate the Debtors Business Process, or
37 | P a g e
 If your business only buys for cash, you could eliminate the Creditors Business Process.
Risk analysis
The second step in the Risk Management Process is Risk Analysis and for this we consider an extract
from Definition – viz. The process of c. analyzing and ranking the importance of the identified risks
Once you have identified the business processes that are applicable to your business, and you have
defined the objectives of each of these business processes, and have identified the risks that could
prevent you from achieving these objectives, you need to analyze the risk and rank these according
to:
 The Likelihood that the risk will occur, and
 The Impact that the risk will have if it does occur
An example of how a risk analysis could be used is depicted in Figure below, which shows the Risk of
Impact that the Reserve Bank uses as a frame of referencing.
38 | P a g e
The more traditional way to depict the risk analysis is in a Risk Matrix, where the Impact is depicted on one
axis and the Likelihood on the other axis. In this type of scatter graph each risk is mapped according to the
Impact and the Likelihood as rated by management during the risk assessment and the risk rating is drawn
from the shading on the graph, according to the block in which it falls. (See Figure 5.2 below).
Thus, if the impact of a specific risk was rated as 2 and the likelihood was also rated as 2, the risk rating would
be in block 6 and thus a Low Risk. Likewise, if the impact was rated as 4 and the likelihood rated as a 3, the
risk rating would fall into Block 18 and would thus be rated as Medium Risk. Similarly, if the impact was
rated as 5 and the likelihood rated as a 5, the risk rating would fall into Block 25 and would thus be rated as
High Risk.
Traditionally the risk rating is on a scale of 3 with High, Medium, or Low as the ratings, but some
practitioners add an additional category of extreme or some similar name for blocks 23 to 25. However, it is
submitted that, this adds an unnecessary level of complexity, as the reaction to a high risk and an extreme
risk should be similar as both should trigger alarm at Board level and require immediate reaction. Also, some
risk practitioners use a scale of 1 to 10, which may lead to a lot of discussion on each point which is not
beneficial to the risk analysis process.
39 | P a g e
Ethics and Decision-Making
The risk assessment process

A risk assessment is an examination of a given task that you undertake at work, that could
potentially cause harm to people. The goal is to understand any potential hazards, before
then outlining and undertaking reasonable steps to prevent harm. Therefore, a risk
assessment can help you to understand and take precautions for such eventualities. Finally,
remember that some regulations will likely require certain control measures to be put in
place, see step 3 for more information on this. If you need help creating a risk assessment,
then be sure to use our free risk assessment template online or download our free app to
streamline the process and undertake risk assessments wherever you may be.
Below are the five steps to risk assessment, as outlined by the HSE. These steps should be adhered
to when creating a risk assessment.
Step 1: Identify the hazards.

Workplace hazards can come in many forms, such as physical, mental, chemical, and biological, to
name just a few. Hazards can be identified by using several techniques, although, one of the most
common remains walking around the workplace to see first-hand any processes, activities, or
substances that may injure or cause harm to employees. Of course, if you work in the same
environment every day, then you may miss some hazards, therefore, the HSE also recommend
40 | P a g e
looking at and considering; Your accident and ill-health record; non-routine operations; Long-term
hazards to health.
Step 2: Decide who may be harmed and how

Identifying who may be at risk extends to full and part-time employees, contract staff, visitors,
clients, and other members of the public at the workplace. You should also consider people that may
not be in the office all the time or at different times, such as employees working night shifts for
example, and lone workers. For each hazard you will need to understand who may be harmed, this
of course, will help you to identify preventive measures for controlling a given risk.
Step 3: evaluate the risks and decide on control measures

Once you've identified hazards, the next logical step it to completely remove the associated risks,
however, where this is not possible, then certain control measures should be put in place. For
example, if an employee is a cleaner, then they'll inevitably come into contact with chemicals. The
likelihood is that such a hazard cannot be removed, however, certain control measures, such as
providing protective gloves, mops, and even training for safely storing and handling cleaning
chemicals can and should be in place. Below is an example of just some hazards, which can easily be
applied to risk assessments using our risk assessment template and award winning safety app.
Contact with Cleaning Chemicals e.g. Bleach with risk of skin irritation or eye damage from direct
contact with Cleaning chemicals Vapor from Cleaning Chemicals can cause breathing problems Dust
and off-cuts will be produced with possible slip / spillage, Electrical Tools Required to Carry out work
with risk of potentially Fatal Shocks or Burns, Falling objects from work area above which could be
Fatal one, Working with risk of injury or ill health while working alone, Manual Handling - Materials
will need to be carried to Work Area which if not done correctly can cause immediate or longer term
injury, Noise from nearby equipment or other Tradesmen which can cause discomfort and potential
damage, Possible Asbestos on site with risk of fibers in air inhaled when disturbed, Possible
disturbance of Water / Gas or Electrical Works, Slips, Trips and Falls which can cause sprains,
fractures etc. if people fall over debris / offcuts / tools or slip on spillages, Working at Height - with
risk of potentially Fatal falls, or bruising / fractures.
Step 4: record your findings

The HSE recommend that you should record your significant findings. Such findings will include, the
hazards, how people may be harmed by them, and essentially the control measures that you have
implemented. It's worth highlighting that currently only organisations with five or more staff are
required to record in writing the findings of a given risk assessment, regardless, it's still good practice
to have a reference. Recording your findings does not need to be a lengthy exercise, in fact, the HSE
currently states "For most people this does not need to be a big exercise - just note the main points
down about the significant risks and what you concluded ".
Step 5: Review the risk assessment

Last, but not least, reviewing the risk assessment. Overtime workplaces will change there may be
new equipment, substances, and or tasks, that have been introduced since the last assessment took
place. With this in mind, it's recommended that you look back on past risk assessments and consider
if there have since been significant changes, and if so, are there new hazards, and or control
measures that should be introduced?
41 | P a g e
Frequency, scope, and depth of ethics and risk assessment Risk rating (Mitigation
process)
All companies face risk; without risk, rewards are less likely. The flip side of this is that too much risk
can lead to business failure. Risk management allows a balance to be struck between taking risks and
reducing them.
Effective risk management can add value to any organization. In particular, companies operating in
the investment industry rely heavily on risk management as the foundation that allows them to
withstand market crashes.
An effective risk management framework seeks to protect an organization's capital base and
earnings without hindering growth. Furthermore, investors are more willing to invest in companies
with good risk management practices. This generally results in lower borrowing costs, easier access
to capital for the firm, and improved long-term performance.
Effective risk management plays a crucial role in any company's pursuit of financial stability and
superior performance. The adoption of a risk management framework that embeds best practices
into the firm's risk culture can be the cornerstone of an organizations' financial future.
There are at least five crucial components that must be considered when creating a risk
management framework. They include risk identification; risk measurement and assessment; risk
mitigation; risk reporting and monitoring; and risk governance.
Risk Identification
The first step in identifying the risks a company faces is to define the risk universe. The risk universe
is simply a list of all possible risks. Examples include IT risk, operational risk, regulatory risk, legal risk,
political risk, strategic risk, and credit risk.
After listing all possible risks, the company can then select the risks to which it is exposed and
categorize them into core and non-core risks. Core risks are those that the company must take in
order to drive performance and long-term growth. Non-core risks are often not essential and can be
minimized or eliminated completely.
42 | P a g e
Risk Measurement
Risk measurement provides information on the quantum of either a specific risk exposure or an
aggregate risk exposure and the probability of a loss occurring due to those exposures. When
measuring specific risk exposure it is important to consider the effect of that risk on the overall risk
profile of the organization.
Some risks may provide diversification benefits while others may not. Another important
consideration is the ability to measure an exposure. Some risks may be easier to measure than
others. For example, market risk can be measured using observed market prices, but measuring
operational risk is considered both an art and a science.
Specific risk measures often give the profit and loss ("P/L") impact that can be expected if there is a
small change in that risk. They may also provide information on how volatile the P/L can be. For
example, the equity risk of a stock investment can be measured as the P/L impact of the stock as a
result of a 1 unit change in, say, the S&P500 index or as the standard deviation of the particular
stock.
Common aggregate risk measures include value-at-risk (VaR), earnings-at-risk (EaR), and economic
capital. Techniques such as scenario analysis and stress testing can be used to supplement these
measures.
Risk Mitigation
Having categorized and measured its risks, a company can then decide on which risks to eliminate or
minimize, and how much of its core risks to retain. Risk mitigation can be achieved through an
outright sale of assets or liabilities, buying insurance, hedging with derivatives, or diversification.
Risk Reporting and Monitoring

It is important to report regularly on specific and aggregate risk measures in order to ensure that risk
levels remain at an optimal level. Financial institutions that trade daily will produce daily risk reports.
Other institutions may require less frequent reporting. Risk reports must be sent to risk personnel
who have the authority to adjust (or instruct others to adjust) risk exposures.
Risk Governance
Risk governance is the process that ensures all company employees perform their duties in
accordance with the risk management framework. Risk governance involves defining the roles of all
employees, segregating duties, and assigning authority to individuals, committees, and the board for
approval of core risks, risk limits, exceptions to limits, and risk reports, and also for general
oversight.
An ethics management response to risk identification and risk rating

Risk identification is the process of determining risks that could potentially prevent the program,
enterprise, or investment from achieving its objectives. It includes documenting and communicating
43 | P a g e
the concern. Risk identification is the critical first step of the risk management process depicted in
the figure below.
The objective of risk identification is the early and continuous identification of events that, if they
occur, will have negative impacts on the project's ability to achieve performance or capability
outcome goals. They may come from within the project or from external sources.
There are multiple types of risk assessments, including program risk assessments, risk assessments
to support an investment decision, analysis of alternatives, and assessments of operational or cost
uncertainty. Risk identification needs to match the type of assessment required to support risk-
informed decision making. For an acquisition program, the first step is to identify the program goals
and objectives, thus fostering a common understanding across the team of what is needed for
program success. This gives context and bounds the scope by which risks are identified and assessed.
Risk Rating is assessing the risks involved in the daily activities of a business and classifying them
(low, medium, high risk) on the basis of the impact on the business. It enables a business to look for
control measures that would help in curing or mitigating the impact of the risk and in some cases
negating the risk altogether.
In situations where the risk cannot be mitigated or negated the business has to accept that the risk is
open and there are no control functions to curb the impact. It depends on the likelihood of the risk
event occurring and the severity of the impact on the business and its employees.
44 | P a g e
Risk is rated on the impact on the business which can be economic or reputational and its likelihood
of occurring in the near future. This is the common pattern of risk across businesses.
Impact of Risk Rating

Low: A low rated event is one with little / no impact on the business activities and the reputation of
the firm.
Low/Medium: Risk events that can impact on a small scale are rate as low/medium risk.
Medium: An event that would result in risks that can cause an impact but not a serious one is rated
as medium.
Medium/High: Severe events that can cause a loss of business but the effects are below a risk that is
rated as high.
High: A major event that can cause reputational and economic damage that will result in huge
business and client base losses.
Likelihood Rating
This rates the risk on the basis of its recurrence which can change depending on the type of the
business that is being considered. For example, for a fast-food company, a frequent likelihood rating
will be something that can happen every day whereas for an investment bank it would be something
that happens in a month or so.
 Frequent
 Likely
 Possible
 Unlikely
 Rare
The ethics of ethics risk assessment

Ethics are important in any professional field. Your moral compass guides your decisions and
conduct, and in the Risk Management field, can impact everyone associated with the company
(employees, leadership, stakeholders, shareholders, etc.). As a professional in the Risk Management
field, one analyzes and attempts to quantify the potential for losses. Then, he/she takes action or
inaction depending on the analysis. Thus, ethical behavior from Risk Management professionals is a
vital component of a business. Ethics in business, also known as corporate ethics, examines ethical
principles and moral or ethical problems that arise in a business environment.
It is important to differentiate between 'feelings', 'laws', 'social norms' and 'ethics'. Many times,
people tend to equate ethics with their feelings. However, being ethical is not always a matter of
following one's feelings. A person following his or her feelings may shy away from doing what is
right. In fact, feelings frequently deviate from what is ethical. Furthermore, being ethical is also not
always the same as following the law. The law often incorporates ethical standards to which most
citizens subscribe. But laws, like feelings, can deviate from what is ethical. One example is America's
own pre-Civil War slavery laws that are grotesquely obvious examples of laws that deviate from
what is actually ethical. Finally, being ethical is not the same as doing "whatever society accepts." In
any society, most people accept standards that are, in fact, ethical. But standards of behavior in
45 | P a g e
society can deviate from what is ethical. An entire society can become ethically corrupt. Nazi
Germany is a good example of a morally corrupt society.
What, then, is ethics? First, ethics refers to standards of right and wrong
that prescribe what humans ought to do, usually in terms of rights,
obligations, benefits to society, fairness, or specific virtues. Ethical
standards include standards relating to rights, such as the right to life, the right to freedom from
injury, and the right to privacy. Such standards are adequate standards of ethics because they are
supported by consistent and well-founded reasons.
Secondly, ethics refers to the study and development of one's ethical standards. As mentioned
above, feelings, laws, and social norms can deviate from what is ethical. So, it is necessary to
constantly examine one's standards to ensure that they are reasonable and well-founded. Ethics also
means, then, the continuous effort of studying our own moral beliefs and our moral conduct, and
striving to ensure that we, and the organizations we help to shape, live up to standards that are
reasonable and solidly-based.
Handout sample at the end of the Learning: Worksheet for Ethical Deliberation
This worksheet has been designed to assist advisers to make professional and ethically responsible
decisions, by encouraging them to think about their own ethical standards in a professional context,
and reflecting on the following questions:
 What are ethics? Why are they important?
 What ethical behaviors do I think are important to display as an adviser?
 How do my decisions affect my clients and others?
Methodology
With reference to the flowchart below, write under each heading the relevant points that apply to
the ethical situation that you are trying to resolve.
46 | P a g e
1. Recognise that there is an ethical dilemma
What is the situation?
Do I have choices?
What is at stake?
2. Understand the facts of the situation
What are the facts?
Do I need to find anything out?
3. Understand the options available
What are my options?
Do any laws/professional ethics influence my options?
4. Understand the consequences of the options
What are the consequences of each option?
Who will be affected by each option?
How will the parties be affected by each option?
5. Test the option you plan to take
Which is the best option?
Thoroughly review the preferred option:
Will the preferred option be difficult for others to understand?
47 | P a g e
Can I justify my actions?
How will I implement the decision?
6. Explain the option you have decided upon
Explain my actions – I should be able to justify them in a logical and straightforward manner
I should have kept records of my decision – now also keep a record of how I communicate my decision to those
affected
7. Act on the chosen option
How will I implement my decision?
8. Reflect on the outcome
How did my decision turn out?
Who was affected and how?
48 | P a g e
Module Three: Governance Interface

With risk management, and ethics risk management in particular, being a relatively new
development with regard to governance structures dedicated to these functions, there is often a lack
of clarity on the interface between the roles, responsibilities, and reporting lines of these functions
at governing body level. The purpose of this section of the handbook is to establish a meaningful and
unambiguous perspective on the interface between the respective structures that have roles to fulfil
in the governance of ethics risk in the organization.
The strategic governance of risk

A number of principles that address an organization’s accountability for taking responsibility for,
identifying, and mitigating risk are presented in the IRMSA Guideline to Risk Management.
The four principles underpinning taking responsibility for risk are:

Principle 1: The governing body should be responsible for the governance of risk
This vests the responsibility for risk in the governing body of an organization. It tasks the governing
body with the responsibility of designing and implementing a risk management policy and plan, and
to ensure that the processes of risk management are implemented according to accepted risk
management frameworks and guidelines.
Principle 2: The governing body should determine the levels of risk tolerance/appetite
At least once a year, the governing body should set specific limits for the levels of risk the
organization is able to tolerate in pursuit of its objectives. The governing body may also set limits
regarding the organization’s risk appetite, i.e., those risks that the governing body desires or is
willing to take. The limits are both financial and non- financial, and instances of the risk appetite
limits exceeding or deviating materially from the risk tolerance limits should be disclosed in the
integrated annual report.
Principle 3: The risk committee or audit committee should assist the governing body in
carrying out its risk responsibilities
To assist it in the discharge of its duties and responsibilities with regard to risk management, the
governing body should appoint a risk committee to review the risk management process and its
maturity, the effectiveness of the risk management activities, the key risks facing the company, and
the responses to those risks. This may be assigned to the audit committee, if it has the capacity. The
risk committee may appoint independent risk experts to supplement skills and experience.
Principle 4: The governing body should delegate to management the responsibility to

design, implement, and monitor the risk management plan .
The risk strategy should be executed by management and in accordance with the risk management
policy and plan. The roles and responsibilities regarding risk management should be
addressed in the risk policy and plan. Risk management should be intrusive: its methodology and
techniques should be embedded within strategy setting, planning, and business processes.
Rigorous risk management should yield solutions that create the appropriate balance between risk
49 | P a g e
and reward in the organisation.
The three principles in the management of risk are:
Principle 5: The governing body should ensure that risk assessments are performed
on a continual basis.
The governing body in the organisation should ensure that the organisation has and maintains an
effective ongoing risk assessment process consisting of risk identification, risk quantification, and
risk evaluation. Following the risk assessment process, risks and opportunities should be prioritized
and ranked, to ensure a focus on the most critical risk responses.
Principle 6: The governing body should ensure that frameworks and methodologies
are implemented, to increase the probability of anticipating unpredictable risks.
The risk assessment process should be of such a nature that it can help the organization to
anticipate systemic, aggregated, consequential, and other unpredictable risks.
Principle 7: The governing body should ensure that management considers and
implements appropriate risk responses.
Management should identify and consider different ways in which the organisation can respond to
the risks identified during the risk assessment process, and the governing body should ensure that
those responses are in place.
The three principles that address the monitoring, assurance, and disclosure of risk are:
Principle 8: The governing body should ensure continual risk monitoring by

management.
The governing body should ensure that the responsibility for monitoring is clearly defined in the risk
management plan, and that management monitors the risk management plan effectively and
continually.
Principle 9: The governing body should receive assurance regarding the effectiveness
of the risk management process.
Management is accountable for providing the governing body with assurance that it has
implemented and monitored the risk management plan, and that it is integrated into the
organisation's daily activities. Each year, an independent assurance provider should provide a
written assessment of the effectiveness of the system of internal control and risk management
to the authority.
Principle 10: The governing body should ensure

that there are processes in place to enable
complete, timely, relevant, accurate, and
accessible disclosure of risks to stakeholders.
The governing body should disclose in its annual report
50 | P a g e
to stakeholders (such as an integrated report to shareholders or other statutory report) any

undue, unexpected, or unusual risks the organisation has taken, as well as material losses and
the causes thereof, without compromising privileged information. It should disclose any
current, imminent, or envisaged risk that may threaten the long-term sustainability of the
organization, as well as its views on the effectiveness of the organization’s risk management
processes.
It is the foundational departure point of this handbook that ethics risks are on an equal footing
with other organisational risks (e.g., financial, operational, legal, IT-, and HR risk) in terms of
the potential monetary and reputational damage they can cause if not managed properly. It
therefore stands to reason that the principles discussed above are equally applicable to ethics
risk as they are to other categories of risk. The management of ethics risk requires a dedicated:
1. ethics risk assessment approach

2. ethics risk management strategy and plan
3. ethics risk register, to be incorporated into the organizational risk register that, by now,
includes all categories of risk
4. governance and management reporting structures to ensure that ethics risk is continually
accounted for
Governance oversight of ethics management

Governance is a term that most people have some familiarity with, but they don’t necessarily know
what it means. There are others who think they understand what it means, but they confuse at least
parts of it with the duties and responsibilities for management. Good governance and good
management aren’t synonymous. They have different functions, but they are related. The regular
practice of good governance principles leads to good outcomes in governance.
Governance management refers to establishing policies and continually monitoring proper

implementation of them by the governing body of an organization, which is usually the board of
directors. It includes the processes that are necessary to balance the powers of the leaders and their
duty to enhance the prosperity and sustainability of the organization.
Governance management encourages efficient use of resources and accountability for the
stewardship over those resources. One of the key components of governance management is to
align the interests of individuals, the organization, and society. Governance management
encompasses setting goals and objectives, determining ethical standards, establishing the intended
culture, ensuring compliance, and designing and implementing the governance framework.
It is important for boards to manage governance because it creates efficiency in the work that they
do. In addition, good governance practices highlight instances of errors and problems. By flagging
potential issues, boards have the chance to respond quickly and appropriately. A focus on good
governance holds the board accountable for improving efficiency, which also lends itself to reducing
costs. When boards practice good governance, all processes run smoothly. There is less chance of
crisis where the board needs to react rather than act and they have the proper time to be
51 | P a g e
responsible in their acts and decision-making. Organizations that have a culture that supports good
governance practices are more likely to offer quality products and services that meet the demands
and expectations of the public.
Good governance lends assurance to shareholders and stakeholders that the organization is being
transparent about their finances and conduct and that they’re treating all people with dignity and
respect. Best practices result from good governance and create a framework where all companies
and organizations can measure themselves against.
Good governance assures us of many things including that it reduces risk and prevents fraud and
unscrupulous behavior. When we put it all together, good governance leads to growth and success
which is the whole reason for organizations to form in the first place.
Risk committee
The Risk Committee (the “Committee”) is an independent committee of the Board of Directors that
has, as its sole and exclusive function, responsibility for the oversight of the risk management
policies and practices of the Corporation’s global operations and oversight of the operation of the
Corporation’s global risk management framework.
The global risk management framework shall be commensurate with the structure, risk profile,
complexity, activities, and size of the Corporation and include:
the Corporation’s Policies and procedures establishing risk management governance, risk
management procedures, and risk control infrastructure for global operations; and the Corporation’s
processes and systems for implementing and monitoring compliance with such policies and
procedures, including
(i) identifying and reporting of risks and risk management deficiencies, including emerging
risks, and ensuring effective and timely implementation of actions to address emerging
risks and risk management deficiencies for the Corporation’s global operations;
(ii) establishing managerial and employee responsibility for risk management;
(iii) ensuring the independence of the risk management function; and
(iv) integrating risk management and associated controls with management goals and the
Corporation’s compensation structure for its global operations.
The Committee will assist the Board of Directors in fulfilling its oversight responsibilities about the
risk appetite of the Corporation, the Corporation’s risk management and compliance framework,
and the governance structure that supports it. Risk appetite is defined as the level and type of risk a
firm is able and willing to assume in its exposures and business
activities, given its business objectives and obligations to
stakeholders.
In carrying out its oversight responsibilities, each Committee

member shall be entitled to rely on the integrity and expertise
of those persons providing information to the Committee and
on the accuracy and completeness of such information, absent actual knowledge of inaccuracy.
52 | P a g e
The Committee will have the resources and authority appropriate to discharge its responsibilities,
including sole authority to retain and terminate the engagement of such consultants or independent
counsel to the Committee as it may deem necessary or helpful in carrying out its responsibilities, and
to establish the fees and other terms for the retention of such consultants and counsel, such fees to
be borne by the Corporation.
Composition, Meetings and Procedures

The Committee will consist of three or more independent directors. At least one member of the
Committee shall have experience in identifying, assessing, and managing risk exposures of large,
complex financial firms.
The Committee Chair shall be a director who:
 Is not an officer or employee of the Corporation and has not been an officer or employee of the
Corporation during the immediately preceding three-year period;?
 Is not a member of the immediate family of a person who is, or who has been within the last
three years, an executive officer of the Corporation; and
 Is an independent director under Securities and Exchange Commission standards.
Committee members and the Committee Chair:

(a) shall be appointed annually by the Board of Directors on recommendation of the Corporate
Governance, Nominating and Social Responsibility Committee and
(b) serve at the pleasure of the Board. The Committee shall report directly to the Board.
Except as limited by law, regulation or the rules of the New York Stock Exchange, the Committee
may form subcommittees for any purpose that it deems appropriate and may delegate to such
subcommittees or to members of the Corporation's management such power and authority as it
deems appropriate, provided, however, that any such subcommittees shall meet all applicable
independence requirements and that the Committee shall not delegate to persons other than
independent directors any functions that are required — under applicable law, regulation, or stock
exchange rule — to be performed by independent directors.
The Committee shall meet as frequently as necessary to fulfill its duties and responsibilities, but not
less frequently than quarterly. A meeting of the Committee may be called by its chair or any two
members of the Committee.
The Committee shall coordinate with the Audit Committee of the Board (which may be done through
the Chairs of each Committee) to ensure that each Committee has received and, when appropriate,
discussed the information necessary to fulfill their respective responsibilities and duties with respect
to areas of common interest. These areas may include, among other matters, the Corporation's
methods for identifying and managing risks, and significant matters including, but not limited to,
investment portfolio issues, frauds, regulatory enforcement actions, litigation or whistleblower
matters, and technology issues.
53 | P a g e
The Committee may request any officer or employee of the Corporation, or any special counsel or
advisor, to attend a meeting of the Committee or to meet with any members of, or consultant to,
the Committee. The agenda for each Committee meeting will provide time during which the
Committee can meet separately in executive session as a committee. As needed, the Committee may
meet with management, the Chief Risk Officer, the Chief Compliance Officer, and the independent
auditors during such executive sessions.
The Committee shall fully document and maintain records of its proceedings, including risk
management decisions. Minutes of its meetings will be approved by the Committee and maintained
on its behalf. The Committee shall report its activities to the Board of Directors on a regular basis
and make such recommendations as it deems necessary or appropriate.
Specific Responsibilities and Duties

The Committee shall approve the appointment of the Chief Risk Officer, who will report directly to
both the Committee and the Chief Executive Officer of the Corporation. Together with the Chief
Executive Officer, the Committee has the responsibility to annually review the performance of the
Chief Risk Officer and, as appropriate, replace the Chief Risk Officer. The Committee shall receive and
review regular reports, at least quarterly, from the Chief Risk Officer.
 As part of the Committee’s oversight responsibilities the Committee shall:

 Review and approve the significant risk management policies and associated risk management
frameworks;
 Review and approve the Corporation’s risk appetite statement on an annual basis and approve
any material amendment to the risk appetite statement;
 Review and approve the Contingency Funding Plan at least annually, and approve any material
revisions to this plan prior to implementation;
 Review significant risk exposures and the steps that management has taken to identify, measure,
monitor, control and report such exposures, including risks such as credit, market, liquidity,
operational (which includes fiduciary and technology risks), strategic, and model and risks
associated with incentive compensation plans;
 Evaluate risk exposure and tolerance;
 Review and evaluate the Corporation's practices with respect to risk assessment and risk
management;
 Review significant issues identified by Risk and Compliance and the Internal Audit Department
with respect to the risk management and compliance activities of the Corporation, together with
management's responses and follow-up to these reports; and
 Review significant examination reports and associated matters identified by regulatory
authorities relating to risk management and compliance issues, and management's responses.
Except to the extent subject to the jurisdiction of another committee of the Board of Directors
pursuant to that committee's charter, the Committee will also have the responsibility to:
 Review the scope of work of Risk and Compliance and its planned activities with respect to the
risk management and compliance activities of the Corporation.
54 | P a g e
 Annually, or at other appropriate intervals, review and approve the compensation of the Chief
Risk Officer, as recommended by the Chief Executive Officer and/or the Human Resources and
Compensation Committee;
 Receive from management regular updates regarding corporate-wide compliance with laws and
regulations;
 Review the Corporation’s capital adequacy, capital planning process, stress testing and related
activities;
 Escalate to Audit Committee members any items that have a significant financial statement
impact or require significant financial statement/regulatory disclosures; and
 Escalate to Audit Committee members other significant issues, including, but not limited to,
significant compliance issues, as soon as deemed necessary by the Committee.
Annual Performance Evaluation and Charter Review

Annually, there shall be a performance evaluation of the Committee, which may be a self-evaluation
or an evaluation employing such other resources or procedures as the Committee and the Corporate
Governance, Nominating and Social Responsibility Committee may deem appropriate. The
Committee will review and assess the adequacy of this Charter annually and recommend changes to
the Board of Directors when necessary. The Charter and any amendments to it must be approved by
the Board of Directors.
Social and ethics committee
The Social and Ethics Committee must comprise not less than three members. These members may
be directors or prescribed officers of the company, however, at least one must be a director who is
not involved in the day-to-day management of the company’s business – a non-executive director –
and must not have been so involved during the previous three financial years.
A Social and Ethics Committee constitutes a formal structure which can facilitate appropriate
attention to the soft, but very important, dimensions of how a company actually goes about its
business, specifically its value system with regard to ethical standards. It is clearly of pivotal
importance that the professed and advertised value system and ethical standards of conduct of the
company are in fact applied and lived in practice. Ongoing recent well-publicized international
corporate deficiencies in actual ethical performance and the profound continuing negative
consequences should serve as a salutary warning to boards of directors of the importance of getting
this right, also in South Africa.
A reporting structure for the governance of ethics risk

It is important that the organization has a grasp of the interface between ethics risk and risk
management. The reporting channels for each of these entities should also be understood (see
figure below).
55 | P a g e
The above figure illustrates the interface between the risk management function and the ethics
management function in the organization. As previously mentioned, ethics risk is a specific category
of risk that ideally needs to be addressed by the risk management function, in co-operation with the
ethics office.
The logic underlying this figure is as follows:

1. The identification and prevalence of ethics risk in the organization is assessed by the
organization’s ethics office, using a specific ethics risk assessment methodology.
2. The ethics office reports on the ethics risk profile to the organization’s ethics governance
committee (e.g., the S&EC).
3. The ethics office simultaneously liaises with the risk management department, to jointly or
separately address the ethics risks identified.
4. The ethics governance committee applies its mind and identifies material ethics risks. This is
executed by assessing the impact of those social and ethical issues that may either (a) enhance
the implementation of organizational strategy, or (b) seriously undermine the implementation
of organizational strategy.
5. The ethics governance committee reports to the audit and/or risk committee(s) and the
governing body (e.g., the board) on the ethics risks and how these are being managed.
6. The ethics governance committee (and/or ethics officer) also submits the ethics risk register to
the risk committee (and/or chief risk officer), who is responsible for consolidating all risk
registers into one corporate risk register. The consolidated corporate risk register consists of
various risk registers, e.g., organizational risk, occupational health and safety (OHS) risk, ethics
risk, etc.
7. Most organizations have their top 10 risks, often referred to as strategic risks, which are usually
determined by the highest regulating authority, who usually give instructions/feedback directly
to the risk committee or chief risk officer. These prioritized risks will include material ethics
risks. To address these material ethics risks, the risk committee then delegates further ethics
risk management activities to the risk management function, which:
a) appropriates the ethics risks as identified and rated by the ethics office as a category of risk
that it has to deal with, among other categories of risk (e.g., operational, IT, legal, HR)
b) identifies the potential impact of the ethics risk, compiles an ethics risk register
56 | P a g e
c) incorporates the ethics risk register into the organizational risk register
d) reports on all risks to the audit and/or risk committee(s) of the governing body
8. The audit and/or risk committee report(s) to the governing body on all risks identified and
managed.
9. The governing body evaluates all organizational risks.
10. The governing body, through the CEO, delegates responsibility for developing/
managing/monitoring the risk management plan to management. That is, it instructs the risk
management function and/or the ethics office to become the risk owners that deal with the
mitigation of risks. The risk owners then report to their respective committees at the end of the
next reporting cycle.
11. The ethics officer plays an important role in ensuring that there is a management plan for
material ethics risks (the ethics risk management plan is incorporated into the risk management
plan).
12. The risk management policy indicates when these plans are submitted to the chief risk officer,
and how/when reporting on progress takes place.
13. The ethics officer or chair of the ethics governance committee may be called to report on the
progress of the ethics management strategy and plan; presentations are usually also required
by the governing body, its sub-committees, e.g., audit and/or risk committee(s) (the same
applies to the OHS officer, and the OHS committee.)
14. The risk management function may not be directly involved in the mitigation of ethics risks or
drafting of ethics risk response plans, but is involved in the facilitation of the process, and
advise on the operationalization of the frameworks. This is usually the function of the risk
owner, which, in the case of ethics risks, could be the ethics officer and/or line management of
other organizational functions.
15. Line managers act as the owners of both risks and ethics risks; they deal with the day-to-day
management of risks and are more 'hands-on.'
16. Risk owners also determine the impact of risks, whereas the risk management function is
responsible for the monitoring and evaluation of risks.
Should the organization not have a dedicated ethics office, the ethics risks identified need to be
dealt with by the organizational risk management function.
Define Governance and Fraud

Governance
Governance encompasses the system by which an organisation is controlled and operates, and the
mechanisms by which it, and its people, are held to account. Ethics, risk management, compliance
and administration are all elements of governance.
The fundamental reasons why organisations should adopt good governance practices include:
 To preserve and strengthen stakeholder confidence – nothing distracts an organisation more
than having to deal with a disgruntled stakeholder group caused by a lack of confidence in the
governing body. And on the positive side, a supportive stakeholder base can generate benefits
for the organisation though social and emotional support, intangible but very valuable attributes
that all organisations should strive to achieve and sustain.
57 | P a g e
 To provide the foundation for a high-performing organisation – the achievement of goals and
sustainable success requires input and support from all levels of an organisation. The Board,
though good governance practices, provides the framework for planning, implementation and
monitoring of performance and without a foundation to build high performance upon, the
achievement of this goal becomes problematic. Achievement of the best performance and
results possible, within existing capacity and capability, should be an organisation’s on-going
goal. Good governance should support management and staff to be “the best they can be”
 To ensure the organisation is well placed to respond to a changing external environment –
business today operates in an environment of constant change. Technology has created an
information age that has transformed our world, and for business to both survive and remain
profitable to enable it to fulfil its mission and achieve its vision, a system has to be in place to
assist an organisation to identify changes in both the external environment and emerging trends.
This process of understanding our changing world does not happen by chance, it requires
leadership, commitment and resources from the governing body to establish and maintain such
a system within the organisation. Change generally does not happen “over-night”, it is there for
all to see if they have in place a system for looking. Governing bodies, as the ultimate leaders of
an organisation, should take prime responsibility for this activity.
Fraud
Fraud is an intentionally deceptive action designed to provide the perpetrator with an unlawful gain or to deny
a right to a victim. Types of fraud include tax fraud, credit card fraud, wire fraud, securities fraud, and
bankruptcy fraud. Fraudulent activity can be carried out by one individual, multiple individuals or a business
firm as a whole.
Fraud involves the false representation of facts, whether by intentionally withholding important information or
providing false statements to another party for the specific purpose of gaining something that may not have
been provided without the deception.
Often, the perpetrator of fraud is aware of information that the intended victim is not, allowing the
perpetrator to deceive the victim. At heart, the individual or company committing fraud is taking advantage of
information asymmetry; specifically, that the resource cost of reviewing and verifying that information can be
significant enough to create a disincentive to fully invest in fraud prevention.
Both states and the federal government have laws that criminalize fraud, though fraudulent actions may not
always result in a criminal trial. Government prosecutors often have
substantial discretion in determining whether a case should go to
trial and may pursue a settlement instead if this will result in a
speedier and less costly resolution. If a fraud case goes to trial, the
perpetrator may be convicted and sent to jail.
Common individual mortgage fraud schemes include identity theft

and income/asset falsification, while industry professionals may use
appraisal frauds and air loans to dupe the system. The most
common investor mortgage fraud schemes are different types of property flipping, occupancy fraud, and the
straw buyer scam.
58 | P a g e
Fraud also occurs in the insurance industry. Thoroughly reviewing an insurance claim may take so many hours
that an insurer may determine that a more cursory review is warranted considering the size of the claim.
Knowing this, an individual may file a small claim for a loss that didn’t really occur. The insurer may decide to
pay the claim without thoroughly investigating since the claim is small. In this case, insurance fraud has been
conducted.
The Federal Bureau of Investigation (FBI) describes securities fraud as criminal activity that can include high
yield investment fraud, Ponzi schemes, pyramid schemes, advanced fee schemes, foreign currency fraud,
broker embezzlement, pump-and-dumps, hedge fund related fraud, and late-day trading. In many cases, the
fraudster seeks to dupe investors through misrepresentation and to manipulate financial markets in some way.
These crimes are characterized by providing false or misleading information, withholding key information,
purposefully offering bad advice, and offering or acting on inside information.
Understanding Governance Principles

Governance is about:
 the systems and processes
 ensuring the direction, supervision and accountability of an organisation
The governance responsibility of an organisation rests with the Board, however in practical terms
everyone plays their own part.
Good governance is crucial to an organisation’s success and is not something to be feared. In social
enterprise, that success has an impact on the communities in which it operates. Governance does
not have to be complicated, and is equally important for organisations of all sizes. Governance is not
just about compliance, structure and duties!
Governance is often viewed as a compliance task. Likewise, Board members often feel that they have
more to offer – both individually and as a group - than the social enterprise is currently utilizing.
The time and effort spent by Boards to create and maintain the right governance mechanisms for
their social enterprise can save valuable time in building and scaling their organisation. It can also
ensure that the organisation does not make costly mistakes given the regulatory, legal and financial
environments in which it operates.
Governance should be viewed as a journey and something that is never truly completed.
Governance should be dynamic and adapt to the changing needs of the Board, the operating and
regulatory environment, and the larger goals and vision of the social enterprise over its lifespan.
Governance is fundamentally about people and the way they perform their respective roles and
responsibilities in order to achieve the outcomes of the organisation.
These Guiding Principles outline 7 key principles that are essential for effective governance, these
are:
1. Leadership
59 | P a g e
2. Ethics & Integrity

3. Stewardship
4. Accountability & Transparency
5. Effectiveness
6. Roles and Responsibilities
7. Participation
Each principle is explored individually and contains good practice guidelines. An organisational
health check has also been prepared that breaks down good practice into measurable actions.
The strategic governance of risk

Risk in business is inevitable – in fact it is essential. A business which does not take commercial risks will not
grow and a business which does not grow is doomed to decline.
Yet, by and large, people in business, as in life, are risk averse, seeking, where possible, to follow the path
which provides the lowest perceived risk.
That is not to say that business leaders should behave recklessly, taking unnecessary risks with little regard to
the consequences – rather, they should take managed risks and it is the job of the board to ensure that the
risks are managed robustly and rigorously.
Businesses need to identify the risks that they face, think of ways in which they might reduce the impact of
each risk on the operation of the business and prioritise their focus onto the risks with the highest likelihood of
occurrence and the greatest impact to the business.
In so doing, it is useful to group the risks into categories. The following is a list of frequently used categories of
risk:
 Strategic
 Operational
 Financial
 People
 Regulatory
 Governance
 Reputational
Strategic Risks are the overarching risks the business takes when it sets or modifies the direction of travel of
the business. These risks can be external, when the business is affected by changes in the environment in
60 | P a g e
which it operates or internal risks arising from the adoption of an inappropriate strategy or the setting of
unrealistic objectives.
 Operational Risks arise from the delivery of the goods or services which the business undertakes.
 Financial Risks are to do with the management and flow of the business finances
 People Risks are associated with both the employment of staff and, for a charity, the involvement of
volunteers.
 Regulatory Risks are concerned with the legislative framework within which the business operates.
 Governance Risks are to do with the way the business is organized and run.
 Reputational Risks are any aspects of the activities of the business which would affect its reputation
 A good place to start with identifying risks is the Business Plan or overall strategy document for the
business.
A useful tool to help to identify risks is an analysis of the strengths and weaknesses of the business and the
opportunities available to it and any potential threats to its success.
This analysis can be done at a strategic or operational level within the business to produce a number of items
within each quadrant. Sometimes items will appear in more than one quadrant, as a strength can also be a
weakness, for example, the involvement of a large number of staff in running a social enterprise is a strength
as they are more likely to be engaged with the business, but it can also mean that the decision-making process
is longer and less effective than an organisation with a leaner management structure, so it may also be seen as
a weakness.
Although when people think of risks they usually focus on the negative aspects – what can go wrong, it is also
useful to think of the ‘positive’ risks presented by opportunities.
Once risks have been identified they can be entered into the risk register so that they can be prioritised and
managed.
The risk register is a list of the identified risks faced by the association prioritised in order of likelihood and
impact.
It is a tool to enable the board to satisfy itself that the business’s risks are being managed effectively and
should be viewed on an exception basis, for example always reviewing the top five risks plus those risks which
have either increased or decreased in likelihood or impact since the previous review.
Each operating unit or department of the business will also have its own risk register which will feed in to the
overall risk register for the company.
The format of a typical risk register is likely to consist of a table with the following headings:
 Risk Category
 Risk Description
 Risk Mitigation
 Likelihood
 Impact
 Ranking
 Comments
61 | P a g e
Governance oversight of ethics management

Ethical Governance refers to values and ethical behaviours, processes, procedures, culture, ways of
doing and being that ensure high standards of performance, economy, effectiveness, efficiency,
quality, satisfaction.
Governance is the set of processes and abilities needed to achieve the objectives and fulfil the
responsibilities of whatever business or organisation, whether public, for profit or not for-profit, in
the healthcare sector or in another field of economic activity.
A reporting structure for the governance of ethics risk

Risk Governance refers to the institutions, rules conventions, processes and mechanisms by which
decisions about risks are taken and implemented. It can be both normative and positive, because it
analyses and formulates risk management strategies to avoid and/or reduce the human and
economic costs caused by disasters. Risk governance goes beyond traditional risk analysis to include
the involvement and participation of various stakeholders as well as considerations of the broader
legal, political, economic and social contexts in which a risk is evaluated and managed. The scope of
risk governance encompasses public health and safety, the environment, old and new technologies,
security, finance, and many others.
Asset Misappropriation, Financial Misstatement, Computer Crime

Asset Misappropriation
Asset misappropriation fraud happens when people who are entrusted to manage the assets of an
organization steal from it. Asset misappropriation fraud involves third parties or employees in an
organisation who abuse their position to steal from it through fraudulent activity. It can also be
known as insider fraud.
Asset misappropriation fraud happens when people who are entrusted to manage the assets of an
organization steal from it.
Asset misappropriation fraud involves third parties or employees in an organization who abuse their
position to steal from it through fraudulent activity. It can also be known as insider fraud.
This type of fraud can be committed by company directors, or its employees, or anyone else
entrusted to hold and manage the assets and interests of an organization.
Typically, the assets stolen are cash or cash equivalents, such as credit notes or vouchers. However,
the fraud can extend to include company data or intellectual property.
At one end of the scale, asset misappropriation fraud may be limited to isolated cases of expense
fiddling or an employee lying about his or her qualifications to get a job.
At the other end, it might involve organized crime groups infiltrating organizations to take advantage
of weak processes and inadequate internal systems and controls.
The definition of asset misappropriation fraud doesn’t include straight theft from an organization by
insiders, such as stealing stationery or other physical assets.
62 | P a g e
Ultimately, it’s the cash flow of the business that suffers.
If they’re not tackled, opportunistic one-off frauds can become systemic and spread throughout an
organization, creating a culture of theft and fraud. When this happens, fraudsters think their actions
are acceptable and fail to make the distinction between company funds and their own funds.
Apart from the direct impact of lost funds, asset misappropriation fraud can also impact on an
organization’s staff morale and reputation.
Are you a victim of asset misappropriation fraud?

Asset misappropriation fraud could include any of the following:
 Embezzlement, where accounts have been manipulated or false invoices have been created.
 Deception by your employees.
 False expense claims.
 Payroll fraud, where payments have been diverted or fictitious, ‘ghost’ employees have been
created.
 Data theft or intellectual property theft.
What should you do about asset misappropriation fraud?

 If you believe the fraud is going on right now, you should contact the police. They will start a
criminal investigation.
 If fraud has occurred, contact Action Fraud to make a report.
 You should immediately suspend the employee(s) involved in order to prevent further losses.
 You might want to try and recover the stolen funds and start disciplinary or dismissal
procedures.
 You should try to estimate the direct losses your organization has suffered and find out whether
the same fraud is being carried out by other people. If so, this would indicate there’s some kind
of systemic failure across your whole organization.
Protect yourself against asset misappropriation fraud

Your organization can take the following steps to help to protect itself from asset misappropriation
fraud:
 vet employees thoroughly checking employee CVs and references
 implement a whistle blowing policy
 control access to buildings and systems using unique identification and passwords
 restrict and closely monitor access to sensitive information
 impose clear segregation of duties
 consider job rotation
 use tiered authority and signature levels for payments
 regularly reconcile bank statements and other accounts
 periodically audit processes and procedures
 promote a culture of fraud awareness among staff
 adopt, and rigorously implement, a zero-tolerance policy towards employee fraud
 have a clear response plan in place in case fraud is discovered.
63 | P a g e
Your organization also has a responsibility to protect other employers. Simply dismissing a fraudster
enables him or her to move to another employer where he or she will most likely continue their
fraudulent behavior. Consider taking part in a fraud data sharing scheme, or decide to prosecute the
fraudster when the fraud is discovered.
Financial Misstatement
A misstatement is the difference between the required amount, classification, presentation, or
disclosure of a financial statement line item and what is actually reported in order to achieve a fair
presentation, as per the applicable accounting framework. A misstatement could have been caused
by an error in recording a transaction, or fraudulent activity. It is considered to be material when the
user of a set of financial statements alters his economic decisions because of the misstatement.
Auditors assess the level of material misstatement when developing an audit plan for a client.
When a claim is brought that a business has issued fraudulent financial statements, a common
defense is for the organization to claim that a misstatement occurred, which by definition is non-
intentional and therefore nonfraudulent.
64 | P a g e
Computer Crime
Computer crime is an act performed by a knowledgeable computer user, sometimes referred to as a
hacker that illegally browses or steals a company's or individual's private information. In some cases,
this person or group of individuals may be malicious and destroy or otherwise corrupt the computer
or data files.
In most cases, someone commits a computer crime to obtain goods or money. Greed and
desperation are powerful motivators for some people to try stealing by way of computer crimes.
Some people may also commit a computer crime because they are pressured, or forced, to do so by
another person.
Some people also commit a computer crime to prove they can do it. A person who can successfully
execute a computer crime may find great personal satisfaction in doing so. These types of people,
sometimes called black hat hackers, like to create chaos, wreak havoc on other people and
companies.
Another reason computer crimes are sometimes committed is because people are bored. They want
something to do and don't care if they commit a crime.
Reducing Fraud Risk

Although a business may be unable to completely prevent fraud from occurring, the business should be able to
detect fraud when it happens to minimize any losses. Here are a few ways to detect and prevent fraud at your
organization.
1. Sign up for a fraud hotline service.

One way to stay on top of fraud cases is through a hotline. Fraud hotlines offer an anonymous way for people
connected with your business to report suspicious activity. More than a third of fraud cases are detected by a
tip line, and in 51.5% of cases, employees are the source of the tip. Hotlines are beneficial for both the
employer and the employee due to ease and anonymity. Organizations with a hotline are 50% quicker at
detecting fraud.
2. Require a background check on all employees.

Background reports are inexpensive and a great way to protect the culture and quality of your business. Check
for inconsistencies between the application and the background report. A person’s dishonesty can prove
detrimental to your business. When dishonesty is apparent, you should look deeper into the candidate’s
background or consider another candidate. Be especially diligent about checking backgrounds on employees
who enter people’s homes. Failing to utilize background checks could create additional liability for the
company. Know who you are hiring. Use their application, and take time to call previous employers and listed
references.
3. Establish preventative controls.

Setting up a fraud prevention program begins with understanding that any organization is susceptible to fraud
and realizing the greatest threat to any organization is its own employees. Under the right circumstances, any
employee could cross the line and begin manipulating their job duties for their own benefit. Preventive
controls include deterring or preventing unauthorized transactions, requiring proper authorization, and
instilling physical safeguards such as locks, keys and passwords. Another important preventative measure is an
65 | P a g e
inventory control system. By keeping an accurate inventory count, an organization can identify irregular
purchases as well as any item being used at an unusually high rate. An organization can then conduct a review
to see if this unusual activity is an indication of deeper issues.
4. Establish detective controls.

Detective controls include independent checks to ensure transactions have proper authority and are recorded
correctly. This can include:
 Rotating job duties
 Mandatory vacation requirements
 Surprise audits
 Routine inventory counts
 Assuring adequate documentation and records
 Be watchful for things like reoccurring charges, employees you don’t know you hired, expenses you don’t
remember signing for, excessive voids and duplicate payments. Also, ensure requests for
invoices/supporting records are performed by someone independent of those handling the day-to-day
accounting for the organization.
5. Be actively involved in your company’s finances.

Check your company’s bank balance and expenditures on a monthly basis. Know what it costs to run your
company. Be able to recognize when expenses seem too high, or revenue seems too low for the company’s
volume of sales.
Send your payables and receivables to a P.O. Box, not your office.
Open and read your mail.
Know how much money is coming in and going out, then bring it to your bookkeeper.
If you can, segregate the duties. Have your receptionist or office manager open, list and log all checks received
in the mail. Then review reconciled bank statements and compare the check log to the deposit slips.
Sign your own checks. Avoid stamp signatures whenever possible.
6. Review your company’s financials.
Fully review your company’s financial statements. Read beyond the first page of the Profit and Loss Statements
—review every item on every page. A fraudulent employee will try to hide the fraud loss in detail level pages; if
you don’t examine your company’s statements thoroughly, these red flags will be impossible to find.
If you don’t understand something on your P&L, ask questions until you do. It can help to rename things you
don’t understand so that they make sense to you.
Know what each line item on your financial statement is. It’s your company—it is vital that you understand
how every piece is put together.
7. Limit access to key data.

All financial programs should have ways to limit access to valuable information.
Each employee should have their own password and user ID to sign into their computer. Also, implement an
automatic sign off when the computer is not being used.
Keep passwords secret, not posted on the computer via a sticky note. Make sure sensitive company, employee
and customer information doesn’t make its way into the wrong hands.
Check stock and company credit cards are stored in a locked drawer.
Use dual authorization methods are for electronic bank transfers.
Make sure accounting and computer software has user restrictions set up to limit access to individuals.
66 | P a g e
8. Implement a system of checks and balances.

Implement a “checks and balances” program at your company. There are many companies where employees’
work goes unchecked. This allows employees to commit fraud more easily, because they know no one is
watching. Operating without a system of checks and balances can end up costing the company significantly,
even leading to bankruptcy.
When internal controls are established and everyone knows their work will be double-checked, the
opportunity for fraud is greatly reduced. The bottom line: using checks and balances makes trusting your
employees easier.
Module Four: Key success factors

To ensure that the implementation of ethics risk management activities, as aligned to risk
management, is executed in an effective and credible manner, a number of key success factors have
been formulated as guidelines. These factors are categorized according to context and planning,
assessment, and reporting.
Context and planning

1. An in-depth knowledge of the organization and the legal, social, political, and economic
environment in which it operates is essential for those functions involved in ethics risk
management.
2. Organisational leadership that is committed to ethics/integrity is a crucial prerequisite for the
implementation of the ethics risk management process.
3. The organisation needs to make a firm commitment to account for and manage its ethics risk.
4. The governing body and its relevant committees should provide strategic direction to and
oversight of the organisation's risk management, including ethics risk management.
5. Pragmatic guidelines that empower stakeholders within an organisation by ensuring common
understanding of the acceptable principles, behaviors, and practices are an important
requirement for the successful implementation of an ethics risk management process.
6. Ethics risk management, when effective, is characterized by the interconnectedness of strategy,
operations, and process, in order to achieve organisational objectives.
7. An effective ethics risk management programme ensures the alignment of strategic intent and
operational delivery.
8. The risk management function and the ethics management function should collaborate closely in
managing the ethics risk of the organisation.
67 | P a g e
9. The co-ordination of risk and ethics risk management processes allows for the effective use of
organisational resources and governance processes.
10. Ethics risk management is a continuous process that supports the organisation's risk
management, and thus guides strategy implementation in organisations.
Assessment
1. The organisation should ensure that it has the capacity and competence to identify and manage
it ethics risks and opportunities.
2. The ethics risk assessment process should take account of the views of all stakeholders involved
in the activity being assessed.
3. An ethics risk assessment process should ensure that all significant risks are identified timeously,
and that root causes are comprehensively described and analysed.
4. The ethics risk assessment should be expressed in terms of an ethics risk rating, to ensure that
the subsequent actions of determining risk impact and likelihood can be conducted.
5. The ethics risk assessment should reflect the effectiveness of current controls, and provide
sufficient information to assist in improving controls to eliminate or reduce risks to an
acceptable level.
Reporting
1. The organisation should disclose to its stakeholders how it manages its ethics risks and
opportunities.
2. Ethics risk reports need to be accurate and timely.
3. Ethics risk reports need to be sufficiently comprehensive to enable those involved in risk
mitigation to make informed decisions – all material and emerging risks need to be included, as
well as information relating to risk exposure.
4. Ethics risk reports need to be clear and useful, so as to address the needs of the recipients of
the reports.
5. Ethics risk reporting should be done frequently, as determined by the governing body, and will
vary according to the type of risk, the purpose of the report, and the needs of the recipients.
6. Ethics risk reports should be distributed to all relevant stakeholders, bearing in mind that
confidentiality needs to be maintained.
68 | P a g e
REFERENCES
https://www.bbc.co.uk/ethics/introduction/intro_1.shtml
https://courses.lumenlearning.com/boundless-management/chapter/ethics-an-overview/
https://www.encyclopedia.com/science/encyclopedias-almanacs-transcripts-and-maps/risk-
ethics
https://www.360factors.com/blog/five-steps-of-risk-management-process/
https://www.governanceinstitute.com.au/resources/what-is-governance/
https://www.governancetoday.com/GT/Material/
Governance__what_is_it_and_why_is_it_important_.aspx
https://www.investopedia.com/terms/f/fraud.asp
https://www.acfe.com/fraud-101.aspx
https://www.boardeffect.com/blog/what-governance-management-important/
https://www.riskassessor.net/news/detail/five-steps-to-risk-assessment
https://www.investopedia.com/articles/professionals/021915/risk-management-framework-
rmf-overview.asp
https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-
engineering/risk-management/risk-identification
https://www.wallstreetmojo.com/risk-rating/
http://jukebox.esc13.net/untdeveloper/RM/RM_Module_16/RM_Module_165.html
https://www.bnymellon.com/us/en/investor-relations/corporate-governance/risk-
committee.html
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/governance-risk-
compliance/
ZA_SocialAndEthicsCommitteeAndTheManagementOfTheEthicsPerformance_24032014.pdf
https://www.governanceprinciples.scot/governance-guiding-principles
https://excellencia.co.uk/strategic-risk-governance-an-introduction/
https://healthmanagement.org/c/it/issuearticle/ethical-governance
https://cio-wiki.org/wiki/Risk_Governance
https://www.accountingtools.com/articles/2018/3/9/misstatement
https://www.computerhope.com/jargon/c/compcrim.htm
https://www.eidebailly.com/insights/articles/legacy/how-to-reduce-your-fraud-risk
69 | P a g e
70 | P a g e

Risks and Ethics

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risks and Ethics

Uploaded by

Copyright:

Available Formats

Risks and Ethics Learner Guide

TRAINING MANUAL SAMPLE......................................................................................................................... 4

MODULE ONE: IDENTIFYING HAZARDS AND RISKS MANAGEMENT................................................................8

MODULE TWO: ETHIC RISK.......................................................................................................................... 18

ETHICS MANAGEMENT, MITIGATION & CULTURE........................................................................................................19

MODULE THREE: GOVERNANCE INTERFACE................................................................................................. 49

THE STRATEGIC GOVERNANCE OF RISK......................................................................................................................49

MODULE FOUR: KEY SUCCESS FACTORS....................................................................................................... 67

CONTEXT AND PLANNING......................................................................................................................................67

Icebreaker: Friends Indeed

Training Manual Sample

Sample Worksheet: Hazards

Quick Reference Sheets

Risk Assessment and Management

Things to Consider When Walking:

Types of External Events:

Emergency Action Plan

What to Include in an Emergency Action Plan?

Every organization has both hazards and risks. Identifying

control the risks and provide a safe working environment.

Consult with Employees

Risk management is necessary to protect the company and the employees.

Examples of When to Consult Employees:

Noise pollution is within safe

Caustic chemicals are used daily,

Define risk management

The upside of risk-opportunity management

The concept of opportunity in the context of upside risk includes:

Risk – opportunity management is important in maximizing an organization’s ability to create and

Benefits of risk management

Risk management framework and standards

Risk management roles and responsibilities

Risk appetite and risk tolerance

Risk management in support of organisational strategy

• Define an operating model, along with strategic and operational objectives.

Risk detection and assessment

Risk assessment consists of three steps:

Risk identification is a structured process that

Risk analysis needs to be applied after risk identification

A typical risk analysis approach could consist of the following steps:

Risk evaluation is the final step in the risk assessment process

Ethics risk as an organizations of organisational risk

Module Two: Ethic Risk

Ethics covers the following dilemmas:

What use is ethics?

Ethics can provide a moral map

Ethics doesn't give right answers

Ethics can give several answers

Ethics management, mitigation & Culture

Understanding ethics risk

Independent of methodological issues, however, are the

Ethics risk assessment: approach and process

The risk assessment process

Frequency, scope, and depth of an ethics risk assessment

Representatively of data Quantitative: Good Qualitative: Good

Three categories of ethics risk are usually assessed:

Assessment of ethical conduct risk:

To what extent do you agree that this occurs in Organisation

6 Employees are rude to suppliers

Certain suppliers are used, despite

1 I know who the organisation's ethics champion (or Ethics Officer) is

Risk category Low risk Moderate risk High risk

Codes and policies