Because most companies have developed mechanisms for preventing ethical or legal violations on an “as needed” basis, prompted by various infractions and incidents over the years, most organizations have never considered ethics and risk management to be a single strategic process. In fact, one of the greatest inhibitors of detecting and avoiding risk is that companies today still often have the same sort of silo-based compartmentalization that plagued other operational processes in the past.

This means that there is little coordination between corporate functions and reporting systems, and no attempt is made to create a formal “early warning” process for identifying potential reputation-damaging incidents. Ethical codes and value statements are introduced to new employees and remain primarily within the domain of human resources and the legal department and are never mentioned again (until an incident occurs). Environmental safety still has a compliance-based focus, lacking full integration into operational improvement, risk management, or strategic planning. Most corporations still have a variety of methods to help them avoid product safety, environmental, or employment crises, yet these methods remain piecemeal and uncoordinated and are usually established only on a departmental level, varying widely in their implementation between groups. Companies seldom use integrated enterprise-wide systems or processes to record incidents, capture trends, or conduct regular reviews by senior management.

All this means that most companies in stage one or stage two have created multiple areas of focus that have developed throughout the organization to address risks. Typically, these areas of focus include the following:

The problem with this approach is obvious. First, there is usually little coordination between these areas. Operations, quality, sales, accounting, internal audit, health and safety, environmental management, human resources, executives, the board: All of these areas tend to remain relatively separate on a day-to-day basis.

This fragmented approach is common to most organizations. “For too long,” says Lynn Drennan, head of the Division of Risk at the Caledonian Business School at Glasgow Caledonian University, “the practice of ‘risk management’ has been compartmentalized within organizations. Health and safety management, fire prevention, security, internal audit, insurance, and business continuity planning have often been placed in separate little boxes, creating tensions between, rather than working in harmony with, one another.”

The normal processes that help a company to detect potential crisis issues are usually focused on manufacturing and product safety and are pursued through day-to-day operational policy that is initiated through OSHA and EHS standards. Some companies have instituted environmental safety systems, but these too are usually seen as separate from an overall ethical or crises response policy framework.

“For many organizations, risk management is piecemeal, uncoordinated, and focused exclusively at an operational level,” concludes Drennan. “What is needed is a more holistic approach to ‘risk management.’ One which understands that these functions are interrelated and that a change in one can have an impact on the others.”²

Making things more difficult is that in most organizations, the emphasis on ethics begins and ends with a values statement hung on the cafeteria wall and a high-level code of conduct that is signed and forgotten after new employee orientation. Not only is there little corporate emphasis placed on ethical behavior or concern for the company reputation, but there are no workable standards or guidelines to which the average employee can turn in order to assess risk or act on issues.

True, human resources professionals will be aware of federal guidelines in terms of equal opportunity employment or sexual harassment, but they are seldom involved when a company is making the decision about whether to work with a factory in Guatemala that may employ underage workers in unacceptable conditions. Even when shop floor operations have EHS compliance increasingly built into their processes, these activities are usually based on a “minimum compliance” model and little valuable information is captured or learned from the process. Legal understands high-level regulatory requirements, but most environmentally related decisions are made by mid-level managers in the field with little substantive policy guidance. Audits are usually still exclusively finance focused, and particularly in foreign or nonowned factories, audits are either nonexistent or cursory and almost never include employee or environmental issues. In short, there is no coordination between the various parties whose opinions may be needed in order for the company to make the best decision on a controversial issue.

Second, not only are these activities uncoordinated, but there is little corporate oversight. Typically, each of these departments is perceived as a specialist silo, with a leader that is keen not to be seen doing something wrong in front of his or her peers or to reveal uncomfortable issues to his or her superiors in the organization. With no formal audit or review process and no pervasive ethical code of conduct, too often employees are encouraged at a departmental level to sweep incidents under the carpet. These incidents go unrectified and unrecorded.

Ironically, in most large companies (as we have seen repeatedly during testimony in the 2002 scandals), the board members have little knowledge or understanding of potentially reputation-threatening issues; there is no formal mechanism, other than possibly the financial reporting–focused audit committee, through which these issues are brought to their attention. Ultimately responsible for oversight of company policy, too often board members have little operational information upon which to assess potential risks to the company’s reputation.

“Typically,” says Jim Kartalia, “what we have seen is that there are departmental information silos where the information is really only contained for that one department and every department has a different information system—whether it is a regulatory compliance or incident management system—and there is no overall consolidated enterprise approach.”³

In most companies, general council becomes the coordinating party. But lawyers, usually risk averse and with little operational knowledge, focus on compliance issues and cannot be expected to advise on broader public reaction issues; the sort of issues that though not illegal may cause enormous public outrage. Moreover, in our “can-do” culture, operations and sales people are often hesitant to take an ethical or risk query in front of legal council, assuming that they will be “putting their head on the chopping block” and that the answer to any query will invariably be “stop doing whatever you are doing.”

Third, this type of approach is almost exclusively internally focused. With many incidents, the outrage that a policy might cause is not obvious to internally focused employees. To truly judge potential policy risks, companies need formal and active contact with a variety of stakeholders, from NGOs to suppliers, taking into account the important shift that stage three and four companies have made from shareholder to a broader stakeholder focus. This shift in emphasis from a focus exclusively on shareholder value to a broader focus on stakeholder value is one of the more important characteristics of a stage three company.

For the past two decades, the concept of shareholder value has been central to Anglo-American business. In management consultancies in the 1990s, the walnut-paneled offices of the “big five” echoed with the mantra “shareholder value” with a determined singleness of purpose. The idea is that companies are actually owned by and responsible to the shareholders, and therefore the primary duty of management is to increase the wealth of those shareholders (with the unsaid implication that all other parties involved—employees, local land owners, or endangered species—are of secondary importance).

What is often not appreciated, though, is that achieving the greatest profit for the shareholders in the long run may be dependent upon a more balanced approach to management in which other groups (stakeholders) are taken into account. These stakeholders include customers, environmentalists, NGOs, regulatory agencies, local communities, the government, and even, many would argue, future generations (Figure 5.1).