The document discusses three questions regarding corporate risk reporting and social responsibility: 1) Is it a company's responsibility to conduct comprehensive risk assessments? 2) Does a company's conscience obligate them to disclose risk assessment results? 3) How can companies communicate risk information to stakeholders while preserving security? The authors posit that risk assessments can help companies learn and adapt their behaviors. However, disclosing information fully risks security, while withholding too much damages stakeholder relationships. Companies must carefully balance transparency, protection, and building trust.

1. Unintended Consequences of Risk Reporting
By: Geary W. Sikich and Joop Remmé
Copyright© Geary W. Sikich, Joop Remme 2016. World rights reserved. Published with permission of the authors.
Introduction
In thisarticle we positthree questions. The firstquestionis:“Isit a social responsibility of companies
thatthey undertakea comprehensiveriskassessment?” The secondquestion:“Doesthenotion of
conscienceand its application to the generation and useof risk information and information in general,
create an obligation forthe organization to disclosethe resultsof the comprehensiveriskassessment?”
The third question“Howdo thepeoplein the organization communicatetheinformation fromthe
comprehensiveriskassessmentto stakeholdersand yetpreservesecurity and protectthe organization?”
The three questionsmay,atfirst,appearsimple andstraightforward. However,aswe dissecteach,we
findthatthere is significantcomplexityintertwinedinthese questions. While thisarticledoesnot
attemptto provide arigidframeworkorhard and fastanswerstothe above questions,itisourintentto
setin motiona dialogue regardingCorporate Social Responsibility(CSR) anditsrelationshipwith
Governance RiskandCompliance (GRC) activities/obligationsthatforma social contract betweenthe
organizationanditsstakeholders.
1) Is it a social responsibilityofcompaniesthat theyundertake a comprehensive riskassessment?
Whenone asks “Is it a social responsibility of companiesthatthey undertakea comprehensiverisk
assessment?”;we beginto view the organization asa livingentity. Organizationsall have cultural traits
that identifyanddifferentiate themfromotherorganizations. Organizational culturedefinesthe
behaviorsandaspirationsof those whobelongtothe organization. Itcreatesa contextof
responsibilities,obligations,goalsandobjectives thatpertainbothtohow the membersof the
organizationtreateachotherand to how the outside worldcanbe expectedtobe treatedbythem.
While the organization’s goalsandobjectivesmaychange overtime tomeetstrategicinitiatives,
responsibilitiesandobligationsoftenprovide astable platformforoptimizingoperational effectiveness
once theyare solidifiedinthe culture. AsdevelopedbyTrompenaars,aculture can bestbe seenasa
social structure forproblem solving. Thatbringsusto risk. What if the effortstosolve jointproblems
fail? That isa riskthat maynot have beenadequatelyaddressedbytraditionalriskmanagement.
Doesthisquestionthen assume apositive effectfrom conductingcomprehensiverisk assessments?
Doesthe organization’s management,andriskmanagementfunction,learnfromthe riskassessment
processand therebychange organizational behaviors? Tophrase thisintermsof culture,dothe
cultivatedbehaviorswithinthe organizationadapt? Or,isthe comprehensiveriskassessmentprocess
merelyapaperexercise designedto meetregulatoryrequirements?
Realizingthe full range of responsibilities,commitments, learningandapplyingthe resultsof a
comprehensive riskassessmentcreatesanorganizational “conscience”;arecordof resultsthat
effectivelyobligesthe organizationtoact.
We can focusthison responsibilitiesthathave todowithdata; in thisdayand age the life bloodof
businessprocessesandrelationships. Forexample,take EuropeanUnion(EU) privacyconcernsanddata
protection. Whendealingwithnon-EUcompanies,consultancies,etc.,ariskisposedby these non-EU
organizationshavingdataontheirEU clientswithnone of thatinformationbeingprotectedunderEU

2. Unintended Consequences of Risk Reporting
By: Geary W. Sikich and Joop Remmé
Copyright© Geary W. Sikich, Joop Remme 2016. World rights reserved. Published with permission of the authors.
regulation. Thiscanconstitute toomuchof a riskfor the EU client,suchthat theywill refrainfrom
engagingnon-EUcompanies/suppliers.
2) Does the notionof conscience and its applicationto the generationand use of risk informationand
informationin general,oblige the organization to disclose the resultsof the comprehensive risk
assessment?
Part of conscience isthe responsibilitytorealize whatyoudid. Thisrealizationis requiredforthe
disclosure of riskassessmentresultsdictatedbyregulations, butalsoforthe developmentof
responsible andproductive engagement(communications, interfaces,etc.) withall stakeholders. Inthe
example citedinquestion#1,regardingEU data privacyconcerns;whatwouldthe organization learn
fromthat realization? Howwouldriskassessmentinformationbe communicated,retainedand
protected? Intermsof culture,thismeansthatan organization mustfosterawarenessamongstits
membersof the organization’s impactsonstakeholders. Thisdoesnottake awaythe responsibilityof
leaders,whoshouldshowsuchawarenessmore thanothers,butitrather helps tobuildleadershipona
sharedsense of responsibility.
Thinkaboutpsychopaths. Accordingtorecentresearch,a psychopathdoeshave a conscience;he/she
justdoesnot letthatconscience interfere with hisorheractions,makingbehaviorspossible that
“normal”people wouldnottypicallyshow. If sucha psychopathicmentalitycomestocharacterize the
culture of an organization,itconstitutesaformidable risk. Youcould saythat if an organizationisnot
able to learnfromwhatit has done,itcannotbe fullyregardedasa responsible organization.
3) And, once accomplished,howdo the people inthe organization communicate the information to
stakeholdersand yet preserve security and protect the organization?
What isthe value of informationforeachstakeholderrelationship? Itisa real quandarythat
organizations mustdeal with - howmuchinformationtostakeholdersistoomuchand whatare the
compliance requirementsthat,if unmetoronlypartiallymet,couldcause stakeholderlawsuits,actions,
etc.that are detrimental tothe organization. A fine line thathasto be carefullynavigated. Here again,
thinkof the example citedinquestion#1,regardingEU data privacyand security. Where should the risk
assessmentinformation(reports,etc.)repository (datastorage) be located,andwhattype of protection
shouldbe usedtosecure the data? What is the riskof hackingto the organization? How can data be
communicatedwithoutraising“redflags”forregulators,etc.? How can the sharingof data with
stakeholderbe restrictedwithoutdamagingthe relationshipsamongstthe stakeholders?
Thisquestionmightbe mainlyabouttrust. Let’sassume,atleast,thatthreatsto securityof information
mainlycome frominefficiencies,orevenill will,amongststakeholders. However,withthe rise of cyber-
crime (hacking,ransomware,etc.),preservingsecuritypartlydependsonpreservingthe goodwill of all
those concerned withprotectingthe security of the organization. Italsoassumes thatidentifiedrisks
(positive and/ornegative) will be addressedbyacorrespondingprogram of “riskbuffering”tocreate
“riskparity”.
The communicationprocessisnolongeronce anddone;it isnow a constantdialogue toensure the
accuracy and freshnessof the information(data). Withregardtoriskdata, the challenge istoprotect

3. Unintended Consequences of Risk Reporting
By: Geary W. Sikich and Joop Remmé
Copyright© Geary W. Sikich, Joop Remme 2016. World rights reserved. Published with permission of the authors.
the data from inadvertentdisclosure and/ormaliciousdisclosure,eitherfrominternal orexternal
sources.
ConcludingThoughts
In thisarticle we have posited three complex questionsthatorganizationsmustaddressfromthe
standpointof Governance,RiskandCompliance;aswell asfroma Corporate Social Responsibility
perspective asrelatestothe social contractwithstakeholders. Ourdiscussionisnotmeant tobe all
encompassing,nortosetstrict guidelines/prescriptionsforcoursesof action. Ratheritisthe intentthat
the readersbegintoknowand betterunderstandthe commitmentsthe organizationmakesin
establishingeffectiveCSRandGRC initiatives.
We encourage commentsanddiscussiononall the pointsmade herein. The goal isto expandthe
dialogue andtoheightenorganizational awarenessof riskinitsconstantlychangingforms.
About the Authors
Geary Sikich – Management Advisor, Author and Speaker
Contact Information:E-mail: G.Sikich@att.net or gsikich@logicalmanagement.com / www.logicalmanagement.com.
Telephone: 1- 219-922-7718.
Joop Remmé Ph.D. – lecturer, researcher, consultant
Contact information: remme@corporate-responsibility-future.eu/ www-corporate-responsibility-future.eu