How to ensure the effectiveness of risk safeguards

How to ensure the effectiveness of risk safeguards

The way an organisation conducts itself entails a number of risks, and these risks lead back very clearly to the organisation’s reputation, one of its chief assets.

Increased transparency, regulation, and public scrutiny of corporate activity, combined with the speed and ubiquity of digital communications, mean a company’s perceived failings or misdemeanours can reach a global audience instantly.

The knock-on effects of reputational damage could include impaired access to resources and investment. Repairing that damage could take years and involve significant effort and expense. And if that’s not enough, reputational damage could impact something that is seen as a top risk even for companies of good standing: talent acquisition and retention.

Companies that are highly regarded have the chance to differentiate themselves as a destination for talent. On the other hand, research shows, many workers will not consider joining companies with dented reputations.

A report by EY showed that nearly 80% of workers in the Asia Pacific region would be unwilling to work for companies involved in bribery and corruption. And 53% of UK workers in a LinkedIn survey would not consider taking a role at a company with a poor employer brand, no matter how much money they were offered.

In this context, organisations are becoming increasingly aware that ethical issues can impact their bottom line. Consequently, there is a great deal of focus on the way ethical practices are embedded and implemented. And to that end, many companies are altering policies and striving to become more transparent. The case studies below show how three companies are doing this.

How management accountants can safeguard the business

Management accountants are well-placed to take a proactive role in safeguarding the business by being aware of potential risks and identifying solutions to those risks.

With regard to their own professional codes of conduct, management accountants need to be alert to the following types of risks or threats to the business:

  • Adverse interests: When your interests are contrary to those of the firm. For example, you have a direct or indirect relationship with a vendor, a customer, or a competitor of your employer.
  • Self-interest: When you could be eligible for profit or a performance-related bonus that is directly affected by a decision you make alone.
  • Familiarity: When you have a close relationship with a supplier or client. Example: Hiring someone at a senior level just because you know them personally, without assessing them against other potential candidates.
  • Undue influence: An employer or client pressuring and using undue influence (also known as intimidation).
  • Self-review: Not using objectivity or independence when assessing information.
  • Advocacy: Promoting the employer’s interests without taking the broader environment into account. For example, omitting or hiding information that would affect an outcome.

Ensuring safeguards are effective

The effectiveness of safeguards depends on a number of factors, including whether the threats to the business have been properly identified, whether the safeguards have been suitably designed to meet their objectives, the way they are applied and by whom, and the consistency of approach within the organisation.

The ethical architecture alone cannot safeguard an organisation. Policies need to be seen to be upheld, and their contravention must lead to negative consequences.

Collecting and using ethical management information can lend valuable insights into both threats and opportunities. An increasing call for such information is coming from external stakeholders, such as investors, to help assess organisations’ long-term value.

Companies such as Northrop Grumman have begun reporting externally on the results of disciplinary action, such as staff dismissals and contracts with suppliers which have been terminated due to issues related to non-compliance.

Leaders must also invest effort and resources into ensuring that the values they espouse are embedded throughout the organisation, and undertake regular and methodical assessment of how policies are being applied, tracked, and acted upon, as well as how any discrepancies were addressed.

Acting as ethical stewards, management accountants can help others gain insight and value from their globally applicable codes of ethics and conduct. The CGMA Code of Ethics can be found at

Tanya Barman is head of ethics at the Chartered Institute of Management Accountants. Samantha White is a CGMA Magazine senior editor.

Case studies

Australia and New Zealand Banking Group

The Australia and New Zealand Banking Group (ANZ), which operates in more than 30 countries across Asia Pacific, Europe, and the US, sought to embed its commitment to human rights into its values, strategy, governance, policies, systems, and processes.

As part of the initiative, the group implemented responsible lending decision-making through an institutional customer due-diligence process. The process takes the social and environmental impacts of prospective and current customers’ business operations into account in financing decisions to ensure the bank does not become associated with, or inadvertently support, human rights violations through the customers or projects it supports.

Staff who are responsible for making business lending decisions are trained on human rights risks that may be present either in a prospective customer’s activities or business relationships, and use the bank’s “social and environmental screening tool” to assess the potential risks in a prospective customer’s industry. These may include forced labour, involuntary resettlement, interference with indigenous peoples’ rights, and corruption.

Once the due-diligence process is complete, the group may decide not to proceed with a loan or to suspend or end a relationship where it is not evident that the customer is committed to improving its human rights performance.


Facilities management company Mitie supplied managerial staff with a guidance document setting out the organisation’s code of conduct.

To encourage engagement and prevent staff from being put off by the level of detail in the manager’s guide, the company created a simplified, four-page version of the code called Do the Right Thing, which uses clear and accessible language to explain the most relevant areas of the code, including Mitie’s organisational values and zero-tolerance policy on bribery.

It also outlines “speak-up” procedures for when a situation, action, or decision doesn’t seem quite right.

Lockheed Martin

Aerospace and defence company Lockheed Martin produced an interactive version of its code of conduct, Setting the Standard, with the objective of making it more appealing to new recruits and easier to navigate than the printed version.

Information is presented in a variety of ways, including videos and FAQs. The search function enables employees to instantly access the specific policy they have a concern about or wish to seek guidance on, and then click a link on that page to report a violation, as necessary. Setting the Standard is also accessible on mobile devices so it can be consulted in the field.

Countering risk

To eliminate or help counter these threats or risks, a range of safeguards need to be in place. Safeguards may come from the external environment, such as professional codes; regulations, such as GAAP; or legislation, such as the US Foreign Corrupt Practices Act. Internal safeguards include the company’s own policies, including the ethical architecture.

External safeguards
  • Education and training requirements on ethics and professional responsibilities.
  • Professional standards and the threat of discipline.
  • Competency and experience requirements for professional licensure and credentials.
  • Professional resources, such as hotlines, for consultation on ethical issues.
Internal safeguards
  • Tone at the top emphasising a commitment to fair financial reporting and compliance with applicable laws, rules, regulations, and corporate governance policies.
  • Policies and procedures addressing ethical conduct and compliance with laws, rules, and regulations.
  • Internal policies and procedures requiring disclosure of identified interests or relationships among the employing organisation; its directors or officers; and its vendors, suppliers, or customers.
  • Use of third-party resources as needed for consultation on significant matters of professional judgement.