The unintended consequences of risk reporting
- Published: Tuesday, 16 August 2016 08:54
Geary W. Sikich and Joop Remmé pose three questions which aim to enable organizations to explore the relationship between corporate social responsibility and governance risk and compliance activities/obligations.
In this article we posit three questions. The first question is: “Is it a social responsibility of companies that they undertake a comprehensive risk assessment?” The second question: “Does the notion of conscience and its application to the generation and use of risk information and information in general, create an obligation for the organization to disclose the results of the comprehensive risk assessment?” The third question: “How do the people in the organization communicate the information from the comprehensive risk assessment to stakeholders and yet preserve security and protect the organization?”
The three questions may, at first, appear simple and straightforward. However, as we dissect each, we find that there is significant complexity intertwined in these questions. While this article does not attempt to provide a rigid framework or hard and fast answers to the above questions, it is our intent to set in motion a dialogue regarding corporate social responsibility (CSR) and its relationship with governance risk and compliance (GRC) activities/obligations that form a social contract between the organization and its stakeholders.
1) Is it a social responsibility of companies that they undertake a comprehensive risk assessment?
When one asks “Is it a social responsibility of companies that they undertake a comprehensive risk assessment?”; we begin to view the organization as a living entity. Organizations all have cultural traits that identify and differentiate them from other organizations. Organizational culture defines the behaviors / behaviours and aspirations of those who belong to the organization. It creates a context of responsibilities, obligations, goals and objectives that pertain both to how the members of the organization treat each other and to how the outside world can be expected to be treated by them.
While the organization’s goals and objectives may change over time to meet strategic initiatives, responsibilities and obligations often provide a stable platform for optimizing operational effectiveness once they are solidified in the culture. As developed by Trompenaars, a culture can best be seen as a social structure for problem solving. That brings us to risk. What if the efforts to solve joint problems fail? That is a risk that may not have been adequately addressed by traditional risk management.
Does this question then assume a positive effect from conducting comprehensive risk assessments? Does the organization’s management, and risk management function, learn from the risk assessment process and thereby change organizational behaviors? To phrase this in terms of culture, do the cultivated behaviors within the organization adapt? Or, is the comprehensive risk assessment process merely a paper exercise designed to meet regulatory requirements?
Realizing the full range of responsibilities, commitments, learning and applying the results of a comprehensive risk assessment creates an organizational ‘conscience’; a record of results that effectively obliges the organization to act.
We can focus this on responsibilities that have to do with data; in this day and age the life blood of business processes and relationships. For example, take European Union (EU) privacy concerns and data protection. When dealing with non-EU companies, consultancies, etc., a risk is posed by these non-EU organizations having data on their EU clients with none of that information being protected under EU regulation. This can constitute too much of a risk for the EU client, such that they will refrain from engaging non-EU companies/suppliers.
2) Does the notion of conscience and its application to the generation and use of risk information and information in general, oblige the organization to disclose the results of the comprehensive risk assessment?
Part of conscience is the responsibility to realize what you did. This realization is required for the disclosure of risk assessment results dictated by regulations, but also for the development of responsible and productive engagement (communications, interfaces, etc.) with all stakeholders. In the example cited in question #1, regarding EU data privacy concerns; what would the organization learn from that realization? How would risk assessment information be communicated, retained and protected? In terms of culture, this means that an organization must foster awareness amongst its members of the organization’s impacts on stakeholders. This does not take away the responsibility of leaders, who should show such awareness more than others, but it rather helps to build leadership on a shared sense of responsibility.
Think about psychopaths. According to recent research, a psychopath does have a conscience; he/she just does not let that conscience interfere with his or her actions, making behaviors possible that ‘normal’ people would not typically show. If such a psychopathic mentality comes to characterize the culture of an organization, it constitutes a formidable risk. You could say that if an organization is not able to learn from what it has done, it cannot be fully regarded as a responsible organization.
3) How do the people in the organization communicate the information from the comprehensive risk assessment to stakeholders and yet preserve security and protect the organization?
What is the value of information for each stakeholder relationship? It is a real quandary that organizations must deal with - how much information to stakeholders is too much and what are the compliance requirements that, if unmet or only partially met, could cause stakeholder lawsuits, actions, etc. that are detrimental to the organization. A fine line that has to be carefully navigated. Here again, think of the example cited in question #1, regarding EU data privacy and security. Where should the risk assessment information (reports, etc.) repository (data storage) be located, and what type of protection should be used to secure the data? What is the risk of hacking to the organization? How can data be communicated without raising ‘red flags’ for regulators, etc.? How can the sharing of data with stakeholder be restricted without damaging the relationships amongst the stakeholders?
This question might be mainly about trust. Let’s assume, at least, that threats to security of information mainly come from inefficiencies, or even ill will, amongst stakeholders. However, with the rise of cyber-crime (hacking, ransomware, etc.), preserving security partly depends on preserving the goodwill of all those concerned with protecting the security of the organization. It also assumes that identified risks (positive and/or negative) will be addressed by a corresponding program of ‘risk buffering’ to create ‘risk parity’.
The communication process is no longer once and done; it is now a constant dialogue to ensure the accuracy and freshness of the information (data). With regard to risk data, the challenge is to protect the data from inadvertent disclosure and/or malicious disclosure, either from internal or external sources.
In this article we have posited three complex questions that organizations must address from the standpoint of governance, risk and compliance; as well as from a corporate social responsibility perspective as relates to the social contract with stakeholders. Our discussion is not meant to be all encompassing, nor to set strict guidelines/prescriptions for courses of action. Rather it is the intent that the readers begin to know and better understand the commitments the organization makes in establishing effective CSR and GRC initiatives.
We encourage comments and discussion on all the points made herein. The goal is to expand the dialogue and to heighten organizational awareness of risk in its constantly changing forms.
About the authors
Copyright© Geary W. Sikich, Joop Remme 2016. World rights reserved. Published with permission of the authors.