The question of whether risk management is related to one global standard or is a function of an organization’s culture and values is explored by the authors. They examine the roots of organizational culture and its relationship with the practice of risk management.

The authors investigate a way to connect risk management with an organization’s values and examine the concept of aligning an organization’s risk management with its culture and values. They begin with a discussion of the formal and informal traits of ethical organizational culture. The formal traits include the quality of an organization’s leadership, its ability to manage processes and people, and its governance mechanisms to oversee employee conduct. Informal traits are derived from values, implicit behavioral expectations, and organizational customs.

A well-functioning ethical culture identifies organizational values and their alignment with all other cultural elements. The authors review the Center for Ethical Business Cultures’ (CEBC) model of five characteristics: values driven, leadership effectiveness, stakeholder balance, process integrity, and long-term perspective. These characteristics provide a template with which to analyze an organization’s unique ethical culture and measure its adherence to that culture’s principles. The authors abandon the quest for finding a universally acceptable set of values in favor of determining the best way to discover the unique set of values that define a particular organization.

The CEBC model distinguishes between values espoused and values in action and how the difference between them creates the basis for ethical risks. Essentially, it is the risk of failing to practice what one preaches. A further source of risk is the gap not only between an organization’s values in action and espoused values but also between the values in action and broader societal values.

The authors discuss societal expectations, citing the example of enterprise risk management, or a holistic, integrated, and overarching assessment of an organization’s risks, both visible and anticipated. They offer their own term, “modern risk management,” to describe a process that reviews an organization’s history, internal and external environments, stakeholder assessment, and purpose and objectives and provides a system of risk evaluation, treatment, and monitoring.

Behavioral economists and risk managers will recognize the importance of the link between organizational values and culture and the proper conduct of risk management that seeks a healthy balance between risk taking and risk mitigation.

The authors review current thinking on organizational values, discuss the CEBC five-point model, and consider the interaction between risk management and culture and values. They conclude with a case study of Veritas Institute, which has proposed a tool to assess the connection between risk management practice and values.

The Veritas Institute develops and uses a self-evaluation tool that incorporates its Self-Assessment and Improvement Process (SAIP) methodology. This process brings together insights from corporate ethics, spirituality, and total quality management. Veritas’s toolkit is designed to help organizations assess whether their management systems, values, and culture support their espoused values. The authors present a particular application of this approach in the form of the Catholic Identity Matrix to examine the extent to which a Catholic healthcare institution’s values and principles from the Catholic tradition are integrated into its management process and culture. The matrix is recognized as a best practice in Catholic healthcare.

Although society has increasingly looked for a standard of risk management that integrates a framework of discipline into an organization’s governance, strategy, policy, and culture, the process is invariably a function of that organization’s unique culture and values. Determining how best to identify these values through the lens of risk management is the authors’ objective. Such a robust assessment during the recent financial crisis could have helped to identify how culture and values contributed to a risk management process that went out of control. It would be interesting to see research on the development and application of a self-evaluation methodology to a faith-based financial institution, such as one rooted in Shari’a law.