Photo: Texture of sand with lines. Zen concept

Risk Perception, Awareness and Risk & Control Governance: How to improve the dialogue between the actors of control and compliance systems with internal and external stakeholders

09 May 2023
Knowledge Base

by Fabio Accardi

In the first part of the book “Risk and Control Governance” [*1] I have highlighted, also with simple examples, how the theme of risk management pertains, in the first place, to our personal dimension. Indeed, in daily choices, if we want to face a decision that concerns us, we always need to make assessments that relate to the probability of running into some events or not. Of course, this relates to decisions that have an impact on the environment and the social context in which we live. The principles and values that guide our conduct constitute the foundations of our “culture of risk”. This can eventually condition the creation of value for the areas that interest us most directly. In terms of environment, the terms “nimby” (not in my backyard) and “pimby” (please in my backyard) are now widely applied. We cannot assess in advance whether a certain type of behavior attributable to these two patterns leads or not to value creation for us and for others. In any case, our choices are not always guided (only) by rationality and compensated by adequate returns or personal advantages. It is known, for example, that the phenomenon of illegal landfills of materials harmful to health, as well as a serious violation of the rules with the subsequent risks of sanctions also constitutes a serious damage to people and the environment. Yet, willing people have allowed them to be built not far from their homes, demonstrating a poor perception of the risks to which they are exposed. In order to obtain easy immediate profits, in fact, the consequences that these landfills have on them and their families are not evaluated. Similarly, if we have a large garden, we can agree on the benefits that can derive to us and our neighbors from the installation of solar panels, but we oppose because we do not renounce to sacrifice a portion of space to devote to these installations.

These general considerations, if expressed in a business logic, make clear how the perception of the risks of our internal and external interlocutors is a fundamental driver in orienting the decision-making processes. If we consider typical areas of compliance as risks of fraud and corruption, but also health and safety risks, we are aware that poor sensitivity and culture can expose the organization to unacceptable levels of risk.

But what drives the perception of the risks of management and stakeholders in general? Is it enough just to pay attention to the rational sphere or are there other areas to explore? In this sense, a research that is not limited to purely technical issues but also examines other dimensions in a multidisciplinary logic, can be very useful to those who deal with the issues of control and compliance in an integrated way. This is what we will try to do in this paper in which we intend to highlight how this “open minded” approach can bring value to our activities and positively increase our capacity for dialogue.

Perception and risk management: a look at the perspectives of the “neuroeconomy”

Neuroeconomics is a discipline of growing importance that grafts into the economic context some elements of psychology. It opens a new frontier with respect to classical economic theories that are based on individuals’ rationality and on the assumption that decision-making process are guided by conscious choices. The neuroeconomic approach has refocused the importance of the emotional sphere as the primary source from which the actions, behaviors and thoughts of the individual come. It follows that for a full understanding and evaluation of behaviors it is necessary to overcome the traditional approach and investigate what is happening in the mind of the individual.

Among the areas of study typically referable to the issues of compliance, the one in which the psychological component of fraud and corruption has been examined. In the well-known Fraud Triangle scheme of Cressey (1973) [*2], the recurring factors in which fraud can be classified concern :

• Pressure (Reason): the need to commit fraud (“what drives me to commit fraud”);
• Rationalization: the justification I have in doing is (e.g. “I do what everybody does”);
• Opportunity: a deficiency in the system of internal controls that allows me to implement the fraud.

Pressure is typically a boost that can come from emotional factors, both personal and organizational, if we think of those business contexts in which there is a strong focus exclusively on short-term results.

In fact, the case studies drawn from reality and more recent methodological insights (Murphy and Dacin, 2011) [*3] have outlines complex psychological mechanisms that can lead to fraud even people not predisposed to commit them. In particular, 3 paths can be delineated (Di Carlo, 2020) [*4]:
a) the lack of awareness, that is the non-recognition of fraud that leads to fraudulent behavior, without any kind of reasoning and without attempts to reduce negative feelings;
b) intuition and rationalization where there is awareness of the fraudulent nature of the behavior resulting in a conscious decision;
c) reasoning, that is a stage of non-compliant behavior dictated by precise calculations that the individual carries out in terms of costs and benefits.

Threats of potential sanctions, particularly in case a) where the rational component does not intervene, may not be the most suitable system to mitigate this type of risk. As we will se also for other types of risks, adequate training and communication on human capital can bring attention to the ethical and value system of the organization and contribute to that “moral suasion” that can lead to desist from censurable behavior.

If we now focus on workers’ health and safety issues, another typical area of great importance for compliance, it is known that different accident cases result from poor sensitivity or attention to risks. Simple examples bring us back to not-worn safety equipment (vests) or worn inadequately (helmets not fastened) although made available and indeed mandatory to use. Since these behaviors are not based on rational choices but on poor risk perception, standalone sanction systems may not be sufficient to support corrective actions. For these reasons, organizations can decide to undertake cognitive behavioral paths aimed at increasing the so-called “cognitive maturity” of workers. Some of the areas on which to intervene, just to mention, concern the so-called “optimistic prejudice” (belief that events are less likely to happen to itself than to others) and the “psychological distance” (perception that risks are more likely to affect distant places or in the distant future).

How to guide awareness to improve dialogue with our stakeholders

Let’s now try to decline the considerations carried out to draw useful indications for the performance of the activities and functions of internal control and compliance. Of course, we are aware that in the interviews we schedule with the process owners we cannot think of being supported by a psychologist (even if sometimes it may not be a bad idea…). But each of us is well aware of how the dimension examines must be kept well in mind when we analyze the causes of events, detect exceptions and propose corrective actions. With reference to the examples that have been proposed, to ascertain if there are only personal motivations or also a strong pressure from apical subjects in pushing towards a corruptive behavior of an employee, strongly affects the suggestions that we can propose. Similarly, if an accident involves the recklessness of an individual or a widespread lowering of guard levels on security issues, several will be traffic lights that should be activated in our reports.

If we are aware of these issues, we realize how important it is in the conduct of audits or in the implementation of compliance program to analyze the processes we examine in an objective way keeping in mind that the subject with whom we talk has a specific ethical, human and emotional dimension. On the other hand, we should always be aware that our personal beliefs, opinions and points of view gained in previous experiences can affect the assessment of what we are told.

The complexity of the issues does not allow simplifications and recipes that may apply in all circumstances but leads to suggest an approach to use and keep in mind in the management of the dialogue with management and in general with all the stakeholders with whom we interact. This approach is inspired by broader views linked to ethical and philosophical issues that, however, have had important developments on the methodological side, influencing the development of different disciplines and giving impetus to the proliferation of studies and research in both the psychological and managerial and organizational fields.

Thich Nath Hank [*5], one of the most important figures in terms of spirituality (moreover, nominated for the Nobel Prize by Martin Luther King in 1967) offers us some insights in this regard. In fact, the author in the search for the foundations of a universal ethics, points out the need to reckon with climate change, terrorism and wars between peoples of different religions “highlighting how we must look at such events (global risks) in terms of “sufferings to examine thoroughly in order to make valid decisions and behave wisely”.

This implies, firstly, being aware of the consequences of our choices not only in purely rational terms, as the reference to suffering makes clear that the awareness to which the reference is made refers to a mental and psychological attitude that we can define in a word: compassion.

However, we must be careful not to attribute to this term values of mere goodwill and passive acceptance of reality and instead return to the etymological root of the term that rekindles the ability to “suffer together” with the subject with which we relate. In this sense, an article published in the Harvard Business Review in May 2015 [*6] illustrates how compassion can also be especially useful for improving managerial performance. In particular research carried out by scholars of several universities cited in the paper (Stanford, New York ., Wharton) have shown that responses based on anger and frustration reduce the level of loyalty of employees towards their managers, inhibiting creativity and increasing the level of stress. On the contrary, a sympathetic and “compassionate” attitude instead facilitates interaction with one’s interlocutors by helping to learn from lessons learned from one’s own mistakes by encouraging the choice of appropriate corrective actions. [*7]

If this applies as a matter of concern for decision-making processes, it must also apply even more to internal control and compliance processes, as we will try to focus on the synthesis and conclusions.

Summary and conclusions

Although the exploration of the personal dimension and psychology would require a much deeper examination that in this paper is not possible to carry out, I believe that the insights that have been made reveal two perspectives to be taken into account in the activities of the internal control and compliance functions. In particular:
– from the point of view of processes , an appropriate balance must be found between being empathetic and sympathetic, identifying oneself with the interlocutor and the dimension of collection of objective evidence supported by the rational sphere indispensable for carrying out the assurance function;
– with regard to outputs and deliverables , that is the way of representing the results of the activities carried out, the evaluations expressed must be such as not to stimulate defensive or closing behaviors but rather to favor an effective proactivity in the performance of corrective actions and in the resolution of gaps.

In conclusion, also in the expression of opinions, through reports drawn up through advanced survey tools such as data analytics, effective and shared communication promotes the creation of value by all the actors involved. Technology can give an important support (e.g. tools that elaborate the main evidence of the verifications assigning a rating to the internal control system are now commonly used) but it can never replace the sensitivity of those who have drafted or approved the report and expressed opinion. Communication, therefore, is decisive: the response of the organization and therefore the ability to contribute to its resilience depends on its effectiveness. And this can only happen if we keep In mind that those to whom we turn to are first and foremost people before owners or, in general, stakeholders.

The author thanks Chiara Bravi for the support in translation of Italian version of this articles , published in Risk & Compliance Platform Italy , in English .

About the author, Fabio Accardi, is Professor of various masters and executive programs at the University of Rome Tor Vergata, Luiss Business School, Italian Association of Internal Auditors (AIIA) as well as member of several Corporate Boards. Please check this link.


[*1] Accardi (2021) “Governo e controllo dei rischi – Manuale per scelte consapevoli e sostenibili. Metodologia, casi ed esemplificazioni”; Ed.Franco Angeli. Please cehck this link.

[*2] Cressey (1973) “Other People’s money”, Patterson Smith.
[*3] Murphy, Dacin (2011) “Psychological Pathways to fraud: understanding and preventing fraud in organizations” Journal of Business Ethics.
[*4] Di Carlo (2020) “Il conflitto di interessi nelle aziende. Linee Guida per amministrazioni pubbliche e non profit” Ed. Giappichelli.
[*5] Thich Nhat Hank (2016) “Le quattro verità dell’esistenza”; Ed. Garzanti.
[*6] Seppala (2015) “Why Compassion Is a Better Managerial Tactic than Toughness” Harvard Business Review.
[*7] “…by choosing a compassionate response when they know they have made a mistake, they are not destroyed, they have learned a lesson, and they want to improve…..” (Seppala, cit.)

Leave a Reply

Your email address will not be published. Required fields are marked *