In this article we posit three questions. The first question is: “Is it a social responsibility of companies that they undertake a comprehensive risk assessment?” The second question: “Does the notion of conscience and its application to the generation and use of risk information and information in general, create an obligation for the organization to disclose the results of the comprehensive risk assessment?” The third question: “How do the people in the organization communicate the information from the comprehensive risk assessment to stakeholders and yet preserve security and protect the organization?”
The three questions may, at first, appear simple and straightforward. However, as we dissect each, we find that there is significant complexity intertwined in these questions. While this article does not attempt to provide a rigid framework or hard and fast answers to the above questions, it is our intent to set in motion a dialogue regarding corporate social responsibility (CSR) and its relationship with governance risk and compliance (GRC) activities/obligations that form a social contract between the organization and its stakeholders.