Author: Aldi Ardilo Alijoyo, S.Psi, MBA, QRMP, CGP
Certification Holder of LSP LPK MKS
CEO of CyberWhale


Business is, in many ways, all about risk. It is about investing in Research and Development and in productive processes that may or may not result in products that customers want to buy. It is about hiring people and then putting your firms’ reputation into their hands. It is about trying and doing new things, always aware of the chance of failure. Society flourishes because businesses are willing to take risks. However, obviously, some risks should not be taken, and others should be taken only subject to suitable safeguards. Risk, in other words, needs to be well managed.

Values matter most when they are least convenient. In an environment riddled with uncertainty and variability, value systems are meant to be the only constants. However, all too often they are proven to be meaningless words in an annual report. For value statements to be more than empty slogans, they must withstand the trial by fire of tough calls guiding behaviour and decision making when it is least convenient. The currently famous Tylenol recall of the 1980s is an enduring example of how Johnson & Johnson’s credo guided decision making in a time of crisis. A small number of firms are counter-intuitively becoming activists about championing their value systems, even at the risk of short term shareholder returns. No one gets extra credit for doing the right thing when it is easy.

Both ethics and risk management foster respect for others, be they neighbours, employees, customers, fellow users of a good or service, or simply fellow occupants of our planet – all sharing the same rights to be safe, independent, and hopefully happy and productive. Respect for others, whomever they may be, inseparably link risk management and ethics.

An ethical risk management strategy concerns the infrastructure that promotes ethical conduct, that is, the directives and supports that both manage risk associated with lack of ethical practices and provide incentives to promote ethical conduct. These can include conformance with externally mandated legal and legislative requirements as well as internal supports and expectations.

While it is clear that legal compliance must have primacy that is not to say that ethical compliance does not complement that process. Where the law quite rightly sets minimum standards, ethics may set aspirational ones; where the law seeks sanctions, ethics may seek flexible and creative solutions. Furthermore, ethical self-regulation is a complement to the law. Ethics seems to be more effective when it is positive rather than punitive; likewise, a solution orientation rather than a punitive orientation is itself an ethical response. Given that ethics does not have the firm prescriptions that the law has it affords an opportunity to be creative in its approach.

Ethical judgements fall on a continuum. One of the issues of significant concern is that of preserving confidentiality of individuals and of commercial secrets. If privacy safeguards are not provided, ethical compliance may be seen as a deterrent; too diligent a publication of all adverse findings has the same effect. Another fundamental issue of what policy and procedures to adopt to accommodates those who would blow the whistle. This article would argue that an essential risk management strategy is a commitment to ethics in an organisation.

Based on ISO 31000:2018, there are a number of principles of risk management that should be implemented, most of them are actually in highly relation with how the organisation apply business ethics. Two of those principles in particular convey that risk management should be an integral part of organisational processes and be part of decision-making. Risk management needs to be integrated with one organisation’s governance framework and become a part or its planning processes, at both operational and strategic level. Moreover, the process of risk management would most certainly assist decision makers to make informed choices, identify priorities and select the most appropriate action. Therefore, an ethical way of thinking should also be embedded in the practice of risk management; hence, the its relation with the planning and decision making. Furthermore, good ethics would generate more of good influence and positive vibe towards internal and external parties, however, more importantly, good risk management contributes to the achievement of an organisation’s objectives through creating and protecting value.

For an organisation to manage its risks well, all its people must act ethically. For example, if someone misrepresents an organisation’s product, the organisation is vulnerable immediately to products liability claims and in the longer run may lose its reputation and market share. Moreover, if one of an organisation’s executives treats any subordinate employee unethically, that employee may lose his or her enthusiasm for their work, may begin to take advantage of the employer in any of hundreds of little ways, or may simply find another job. Or if one employee discovers that a second employee is embezzling from the organisation, the second employee’s failure to report this dishonesty causes financial loss to not only the organisation and to each of its owners but, in the long run, also to those who rely on that organisation for their livelihood.

All in all, derived from these arguments, good risk management and good ethics support each other. Expectantly, they are clear and beyond debate. However, in practical risk management, the presence of real ethical dilemmas may arise from many aspects of various factors. Those will be circumstances in which neither the good or bad ethics nor the good or bad risk management are so black and white, and where together the management or the decision makers can reason through how best to let good ethics and good risk management work together for the ultimate benefit of all.