What This Post Covers
This post maps four classical virtues: Prudence, Justice, Fortitude, and Temperance, to specific GRC ethics, control families in NIST SP 800-30, ISO 27001, ISO 22301, and the SEC’s Cybersecurity Disclosure Rules. It also integrates the Markkula Center for Applied Ethics‘s six ethical lenses and five-step decision framework as operational tools for high-pressure governance decisions. The goal is practical: give governance, risk, and compliance professionals a character-based framework that moves organizations from box-checking compliance to resilient governance culture. By the end, you will have a Virtue-to-Control Mapping Matrix, a five-step decision protocol, implementation guidance for each virtue, and a downloadable Virtue-Based Risk Assessment Checklist you can deploy in your next risk review cycle.
The four cardinal virtues emerged from classical philosophy as the foundation for human excellence. Plato identified them. Aristotle refined them in the Nicomachean Ethics, where he argued that virtue develops through practice rather than instruction. The word “cardinal” comes from the Latin cardo, meaning hinge; everything else swings on these four.
They are: prudence, justice, fortitude, and temperance.
For GRC professionals, these are not abstract ideals. They are the character traits that determine whether you can do this job well when pressure meets principle. Every difficult judgment call, every escalation decision, every moment of organizational resistance requires at least one of them. Usually all four.
Table of Contents
Why Classical Virtues Matter in Modern GRC Ethics
Compliance frameworks tell you what to do. Virtuous GRC ethics determines who you must become to do it consistently under pressure.
That distinction matters more than most professionals acknowledge. GRC ethics is not law. A legal system can be slow to address new problems, and regulatory silence does not equal moral clearance. GRC ethics is not data. Evidence tells you what is happening, not what ought to happen.; and GRC ethics are not feelings. Professional governance requires objective standards that hold even when personal discomfort says otherwise. The four cardinal virtues provide exactly those standards: stable, actionable, and independent of which rule happens to apply this quarter.
The ACFE’s 2024 Report to the Nations found that over half of occupational frauds occur not from absent controls but from controls that are overridden. The documentation exists. The policies are signed. The problem is human, and behavioral rather than technical.
The four cardinal virtues close that gap:
- Prudence activates sound judgment when no policy covers the situation.
- Justice enforces fairness when organizational pressure pushes toward favoritism.
- Fortitude sustains action when doing the right thing carries a personal cost.
- Temperance maintains discipline when shortcuts look attractive and rationalized.
Technical competence gets you into GRC. These four virtues determine whether you can sustain a career without compromising yourself or your organization. This my friend is what we call GRC ethics.
Virtue-to-Control Mapping Matrix
Use this matrix to connect character-based decision-making to specific control frameworks during your next risk assessment, audit planning session, or governance review. The Ethical Lens column draws from the Markkula Center’s six-lens framework and identifies the primary evaluative perspective most relevant to each virtue’s domain.
| Virtue | Definition | Application | Families | Standards | Ethical Lens |
|---|---|---|---|---|---|
| Prudence | Practical wisdom; discerning the right action by weighing all factors | Risk appetite calibration; audit judgment; advisory counsel | Risk Assessment, Risk Management | NIST SP 800-30; NIST RMF | Utilitarian: which action produces the greatest risk reduction for all stakeholders? |
| Justice | Fairness, equity, and fulfillment of obligations | Vendor due diligence; access control; investigation integrity | Access Control, Supply Chain Risk | ISO 27001 A.9, A.15; COSO | Rights and Justice: what do individuals deserve? Are outcomes equitable regardless of rank? |
| Fortitude | Courage to act rightly despite fear, difficulty, or personal cost | Incident escalation; whistleblower protection; regulatory disclosure | Incident Response, Business Continuity | NIST SP 800-61; ISO 22301; SEC 4-day rule | Virtue: what kind of organization do we become if we suppress this disclosure? |
| Temperance | Self-regulation; recognizing “enough” and acting accordingly | Data minimization; attack surface reduction; scope discipline | Asset Management, Data Governance | ISO 27001 A.8; NIST SP 800-53 | Common Good: does this data posture serve the broader ecosystem, or create unnecessary risk? |
The Four Cardinal Virtues Applied
Prudence: Risk Assessment and Professional Judgment
What is Prudence in GRC Ethics?
Prudence is the application of risk appetite thresholds to technical assets, ensuring that qualitative likelihood-impact matrices align with organizational goals. A prudent GRC professional distinguishes material risks from theoretical ones, calibrates findings to actual exposure, and defends those judgments under audit committee scrutiny.
Prudence is practical wisdom. It is the capacity to assess a situation accurately, weigh competing factors without bias, and choose the path most likely to produce the right outcome, not just the safe one.
Every risk assessment requires it. Every audit finding demands it. Every policy exception depends on it.
Where Prudence Maps to Control Frameworks:
Risk Assessment (NIST SP 800-30). The prudent risk professional must apply structured likelihood-impact analysis without defaulting to worst-case scenarios or politically convenient ratings. NIST SP 800-30 requires that risk assessments produce actionable outputs. Prudence is the character trait that keeps those outputs honest.
A risk rated “Medium” should withstand scrutiny. If you cannot explain the gap between “Medium” and “High” in terms of threat source, threat event probability, and adverse impact to organizational operations, you have not completed a risk assessment. You have completed a risk template.
Audit Judgment (IIA Global Internal Audit Standards, 2024). The IIA’s 2024 Standards explicitly require auditors to exercise professional judgment throughout engagement planning and execution. Prudence determines when a control gap is a finding, an observation, or a management advisory item. That distinction has budget, timeline, and reputational consequences for the business units involved. Prudence keeps the distinction principled rather than political.
Advisory Work. Right-sized recommendations require prudence. Over-control adds bureaucratic cost without reducing risk. Under-control leaves organizational exposure. The prudent advisor gives counsel that fits the specific context, not boilerplate solutions copy-pasted from a prior engagement.
How to Develop Prudence:
Examine your significant judgment calls after the fact. What factors did you weigh? What did you miss? What would you change? Prudence accumulates through examined experience. It is not an innate talent. It is a discipline.
Justice: Vendor Risk Management and Access Control
What is Justice in GRC Ethics?
Justice is the equitable application of GRC standards across all subjects, regardless of rank, relationship, or organizational politics. In practice, it governs vendor due diligence processes, access control decisions, and investigation integrity. Justice ensures that the same control deficiency receives the same rating in a favored business unit as it does in a disfavored one.
GRC professionals hold significant structural power. Risk ratings affect resource allocation. Compliance determinations affect business operations. Access control decisions affect data exposure. Justice ensures that power serves legitimate organizational ends rather than personal agendas.
The COSO Internal Control Framework identifies integrity and ethical values as foundational components of the control environment. Justice is how those components manifest in daily decisions, not in policy language, but in the consistency of execution.
The Markkula Center’s Rights Lens and Justice Lens are the primary evaluative tools here. The Rights Lens asks what individuals are owed: privacy, due process, fair treatment. The Justice Lens asks whether comparable situations are receiving comparable outcomes. Together, they define what procedural and distributive fairness looks like inside a GRC function.
Where Justice Maps to Control Frameworks:
Vendor Risk Management (ISO 27001 Annex A.15). Third-party relationships must be evaluated through structured due diligence processes that apply consistent standards across all vendors, regardless of contract size, relationship tenure, or executive sponsorship. ISO 27001 Annex A.15 requires organizations to implement supplier security policies that address all relevant security requirements. Justice is what keeps those policies applied uniformly rather than selectively.
Access Control (ISO 27001 Annex A.9). The principle of least privilege is, at its core, a justice framework. Access permissions must reflect operational necessity, not organizational rank, tenure, or personal preference. The just GRC professional enforces access reviews with the same rigor for C-suite accounts as for entry-level staff. Privileged access audits should produce the same analytical standards regardless of whose credentials are under review.
Investigations. The accused deserves a fair process regardless of their position. Evidence must be evaluated objectively. Conclusions must follow from documented facts. The just investigator reaches consistent conclusions whether the subject is a junior employee or a senior executive.
Regulatory Interaction. Honesty with regulators is non-negotiable. The just compliance professional does not mislead, conceal, or misrepresent. This is not only an ethical requirement; it is a legal one under frameworks including the SEC’s cybersecurity disclosure rules and SOX Sections 302 and 906.
How to Develop Justice:
Examine your biases systematically. Notice when you calibrate findings differently based on relationships. Build process structures that enforce consistency: documented criteria, cross-functional calibration sessions, and peer review before any final determination. Justice is not a feeling. It is a system that produces equitable outcomes even when feelings push in the opposite direction.
Fortitude: Incident Response and Business Continuity
What is Fortitude in GRC Ethics?
Fortitude is the organizational capacity to sustain correct action under pressure: escalating material incidents within required timelines, maintaining business continuity under adverse conditions, and delivering uncomfortable findings without softening them for political convenience. Under the SEC’s 2023 Cybersecurity Disclosure Rules, organizations must report material cyber security incidents within four business days of a materialized determination. Fortitude is what closes the gap between knowing that rule and following it.
This profession exists to say things people do not want to hear. Control deficiencies. Compliance gaps. Material risk exposures. Investigative findings that implicate powerful people. The information GRC professionals must deliver regularly threatens someone’s budget, timeline, reputation, or authority.
Fortitude is what allows you to deliver it anyway.
In soccer, a center-back does not abandon their defensive line because the opposing striker is faster or louder. They hold position. They trust their structure. They make the tackle when it needs to be made. GRC professionals who hold their analytical line under executive pressure, who refuse to adjust a “High” finding to a “Medium” because the CFO prefers the latter, are practicing the same discipline. Structure over comfort. Accuracy over harmony.
Where Fortitude Maps to Control Frameworks:
Incident Response (NIST SP 800-61). Effective incident response requires organizations to act decisively and accurately under time pressure. NIST SP 800-61 outlines detection, containment, eradication, and recovery phases that must execute regardless of organizational reluctance to acknowledge an incident. Fortitude is the character trait that sustains accurate classification of a security event as a material incident, even when that classification triggers disclosure obligations and investor notifications.
SEC Cybersecurity Disclosure Rules (4-Day Clock). Under the SEC’s final rules effective December 2023, registrants must file an Item 1.05 Form 8-K within four business days of determining that a cyber security incident is material. The materialized determination itself requires fortitude: organizations face structural incentives to delay that determination. GRC professionals must build and defend processes that apply consistent materialized standards free from those incentives.
Business Continuity (ISO 22301). ISO 22301 establishes requirements for business continuity management systems, including the maintenance of operations under adverse and disruptive conditions. Fortitude at the organizational level is what allows a business continuity plan to function as written, including when activation means acknowledging publicly that a disruption has occurred.
Whistleblower Protection. SEC whistleblower program data confirms that fear of retaliation remains a primary barrier to internal reporting. Fortitude requires investigating complaints about powerful people with the same rigor applied to complaints about anyone else, and refusing to engage in subtle retaliation even when that retaliation has implicit executive support.
Case Study Application. Two training scenarios from the Markkula Center’s Ethics Cases library illustrate fortitude in practice. “Make Waves or Go With the Flow” presents the ethical pressure an internal auditor faces when organizational culture rewards compliance theater over honest reporting. “Speak Up or Stay Silent” models a sales report discrepancy, a classic whistleblowing scenario where the cost of speaking up is personal and the cost of silence is institutional. Both function as pre-crisis rehearsal tools: environments where your team can practice fortitude before it costs something.
How to Develop Fortitude:
Take small stands before you face large ones. Document your reasoning so you can defend your position clearly and consistently. Build financial resilience so career risk does not force ethical compromise. Courage is not fearlessness. Courage is action in the presence of fear. Managing the fear is the skill. Eliminating it is not the goal.
Temperance: Data Minimization and Asset Management
What is Temperance in GRC Ethics?
Temperance is the organizational discipline to collect only the data required, retain only what serves a defined purpose, and manage assets with proportional attention to actual risk. In GRC, temperance directly reduces attack surface by eliminating unnecessary data stores, over-privileged accounts, and scope creep that dilutes control effectiveness. Organizations that practice temperance align their data posture with NIST SP 800-53 data minimization requirements and ISO 27001 Annex A.8 asset management controls.
The Markkula Center’s Internet Ethics work offers a blunt operating principle for this virtue: “If you can’t secure it, don’t connect it.” That is temperance applied to infrastructure. Not every IoT device, integration, or data pipeline that can exist should exist. Temperance is the governance character trait that enforces that boundary, not as policy language, but as instinct. Organizations that have internalized this principle spend less time managing breach exposure and more time managing the assets that actually create value.
Bruce Lee’s instruction, hack away at the unessential, is an information security strategy. Every unnecessary data store is potential breach exposure. Every over-scoped audit is diluted remediation focus. Every rationalized risk appetite exception is a governance culture problem.
Temperance is organizational self-control. And in GRC, self-control is a security control.
Where Temperance Maps to Control Frameworks:
Data Minimization (NIST SP 800-53, ISO 27001 A.8). Organizations must collect personal and sensitive data only to the extent necessary for a defined, legitimate purpose. Retaining data beyond that purpose increases exposure without adding operational value. Temperance is the character trait that sustains this discipline over time, particularly when data hoarding feels like a competitive advantage or when deletion requires effort.
Asset Management (ISO 27001 Annex A.8). Effective asset management requires that organizations maintain accurate, current inventories and apply controls proportional to asset sensitivity. Temperance prevents the common failure mode of treating all assets as equally critical, which produces bureaucratic paralysis, or treating none as critical, which produces the opposite.
Risk Appetite Adherence. A risk appetite statement that exists only in policy documents is not a governance mechanism. It is a liability. Temperance is what separates organizations that actually operate within stated risk thresholds from those that rationalize exceptions until the exception becomes the norm.
Scope Discipline in Audit Engagements. Temperance keeps audit scopes appropriate to the material risks under review. Scope creep produces comprehensive findings catalogs that overwhelm remediation capacity and bury material issues in noise. The temperate auditor delivers fewer, higher-priority findings that drive measurable risk reduction.
Communication Calibration. Temperance prevents over-alarming (treating every finding as existential) and under-alarming (downplaying genuine problems to avoid difficult conversations). The temperate communicator calibrates tone to substantive risk level, a discipline that preserves credibility with stakeholders over time.
How to Develop Temperance:
Build routines that create natural stopping points: defined scopes, time boundaries, peer review checkpoints. Notice when you over-invest in a finding because it irritates you personally, or when you under-react because you are fatigued. Temperance is not the suppression of impulse. It is the calibration of response to fit the actual circumstance.
Putting the Framework to Work
These virtues are not checklist items. They are developmental priorities that compound over time.
Using a Decision Protocol When the Virtues Conflict
Most GRC decisions are not a single-virtue problem. A materiality determination under the SEC’s four-day clock involves prudence (is this material?), fortitude (do we disclose it?), justice (are we applying the same standard we used last quarter?), and temperance (are we communicating proportionally?). When virtues are in tension, a structured decision protocol prevents rationalization from filling the gap.
The Markkula Center’s five-step framework maps directly onto GRC workflows:
- Identify the ethical issue: what is actually at stake, beyond the technical compliance question?
- Get the facts: what do you know, what do you not know, and what do you need before deciding?
- Evaluate alternative actions: run each option through at least two of the six ethical lenses (rights, justice, utilitarian, common good, virtue, care ethics). Ask which action survives the most scrutiny.
- Choose an option and test it: apply the “public audience” test. Would you be comfortable if the audit committee, a regulator, or a journalist could see exactly what you did and why?
- Implement and reflect: document your reasoning. After the outcome is known, examine whether your process was sound even if the result was uncomfortable.
This is not a replacement for the virtue framework. It is the activation sequence. Virtues are the character traits you build over time. The decision protocol is how you deploy them in a specific, high-pressure moment.
For self-assessment: Identify your strongest virtue and your most under-developed one. Most GRC professionals excel in one or two and struggle with one or two. That gap is your professional development agenda. Address it deliberately.
For team development: Evaluate your team’s collective virtue profile. A team strong in prudent judgment but weak in courageous escalation will produce excellent risk ratings that no one acts on. A team strong in fortitude but inconsistent in justice will escalate aggressively but unevenly. Balance the team. Pair complementary strengths. Address gaps through hiring, mentorship, or structured exposure to harder situations.
For organizational assessment: The four virtues offer a diagnostic lens for evaluating leadership character beyond competence metrics. Does the executive team demonstrate prudence in strategic decisions? Justice in how they treat people? Fortitude in how they handle material bad news? Temperance in how they pursue growth? These questions predict control environment effectiveness more reliably than policy inventory counts. For boards and executives who want to formalize this assessment, the Markkula Center’s Culture Self-Assessment Practice Process Design provides a structured method for measuring the “unwritten rules” of an organization, converting what GRC practitioners typically call “soft controls” into audit ready governance metrics. Culture, properly assessed, is a hard control.
For SEC Compliance Integration: Under the SEC’s cybersecurity disclosure framework, all four virtues have direct operational implications. Prudence governs materiality determinations. Justice governs the consistency of disclosure processes across incident types. Fortitude governs the willingness to file within the four-business-day window. Temperance governs the discipline to avoid over-disclosure that creates noise and under-disclosure that creates liability.
Downloadable Checklist
Virtue-Based Risk Assessment Checklist
Use this checklist at the start of each risk assessment cycle to evaluate both the process design and the professional conduct of your team.
PRUDENCE: Risk Assessment Quality
- [ ] Has the risk assessment methodology been documented and consistently applied?
- [ ] Are likelihood and impact ratings defined with quantitative or semi-quantitative criteria, not subjective judgment alone?
- [ ] Can every “Medium” or “High” risk rating be defended with specific threat source and impact documentation?
- [ ] Have subject matter experts been consulted across all relevant domains before ratings are finalized?
- [ ] Has the assessment been reviewed by a second professional for judgment calibration?
JUSTICE: Process Consistency
- [ ] Are the same risk rating criteria applied uniformly across all business units and vendors?
- [ ] Have conflict-of-interest disclosures been collected from all assessment participants?
- [ ] Is vendor due diligence applying the same standards to all third parties, regardless of contract value or relationship history?
- [ ] Have findings been peer-reviewed before delivery to prevent inconsistent application?
- [ ] Are investigation processes documented to ensure procedural consistency regardless of subject identity?
FORTITUDE: Escalation Integrity
- [ ] Are material risk findings being reported to the appropriate authority level without modification for political convenience?
- [ ] Has the team documented how potential SEC-material cybersecurity incidents will be escalated and evaluated within the required disclosure window?
- [ ] Are whistleblower-reported concerns being investigated with the same rigor applied to other reported issues?
- [ ] Is there a documented process for maintaining business continuity reporting under adverse conditions (ISO 22301)?
- [ ] Have team members been briefed on the SEC’s four-business-day materiality determination and reporting requirement?
TEMPERANCE: Scope and Resource Discipline
- [ ] Is the assessment scope defined and approved before fieldwork begins?
- [ ] Is data collection limited to information necessary for the specific assessment objectives?
- [ ] Are audit hours and team capacity allocated proportionally to documented risk levels?
- [ ] Does the final report prioritize material findings over comprehensive finding catalogs?
- [ ] Has the organization’s data retention schedule been reviewed for alignment with data minimization requirements?
[Virtue-Based Risk Assessment Checklist]
FAQ
What is the difference between virtue ethics and professional GRC ethics codes?
Ethics codes prescribe behaviors: disclose conflicts of interest, maintain confidentiality, refuse gifts above a threshold. The ISACA Code of Professional Ethics reflects this approach. Virtue ethics develops the character traits that make code compliance natural rather than forced. The code tells you what to do. Virtues shape who you become so doing it becomes instinctive, particularly under pressure, when codes are hardest to follow.
How does this framework align with NIST and ISO standards?
Each virtue maps directly to established control families. Prudence aligns with NIST SP 800-30 risk assessment processes. Justice aligns with ISO 27001 Annex A.9 access control and A.15 supplier relationships. Fortitude aligns with NIST SP 800-61 incident response and ISO 22301 business continuity. Temperance aligns with ISO 27001 Annex A.8 asset management and NIST SP 800-53 data minimization controls. The framework is designed to complement, not replace, those standards.
How does this framework address the SEC Cybersecurity Disclosure Rules?
The SEC’s 2023 rules require registrants to disclose material cyber security incidents within four business days of a materialized determination, and to annually disclose material information about their cyber security risk management, strategy, and governance. All four virtues are operationally relevant. Prudence governs accurate materialized determinations. Justice governs consistency in disclosure processes. Fortitude governs timely disclosure regardless of organizational reluctance. Temperance governs proportional communication that avoids both over-disclosure and under-disclosure.
Is this framework too philosophical for practical GRC work?
The vocabulary is classical. The application is immediate. Every risk rating involves prudence. Every audit calibration session involves justice. Every escalation decision involves fortitude. Every scope decision involves temperance. The virtues describe what GRC professionals are already doing at their best, and failing to do at their worst. Naming them makes the practice deliberate.
What if my organization does not support this kind of GRC ethics framework?
Organizations that punish sound judgment, tolerate procedural injustice, retaliate against honest escalation, and rationalize risk appetite violations eventually face regulatory, reputational, or financial consequences. If you are operating in that environment, your options are to influence the culture, model the virtues and document your reasoning, or recognize that protecting your professional integrity may require an exit. That is not a comfortable answer. It is an honest one.
Can GRC professionals reference this framework in audit committee presentations?
Yes. The cardinal virtues have credibility across secular and professional contexts because they originate in Greek philosophy and have informed legal, medical, and business ethics for centuries. Framing a governance culture discussion around prudence, justice, fortitude, and temperance positions the conversation at the character level, which is where control environment assessments ultimately belong.
How do I measure virtue development in a team?
Virtues are not directly measurable, but their operational effects are. Track escalation rates over time; fortitude shows up as a willingness to report uncomfortable findings. Track calibration consistency across business units; justice shows up as statistically consistent rating distributions. Track scope adherence and finding prioritization; temperance shows up as focused, actionable reports. Track how often risk ratings withstand audit committee scrutiny; prudence shows up as defensible, well-documented assessments.
Where does the Markkula Center framework fit alongside this one?
The Santa Clara University Markkula Center for Applied Ethics provides operational resources that extend this virtue framework into specific domains. The ITEC Operational Roadmap applies structured ethical checkpoints to AI and encryption governance. The Ethics by Design methodology embeds ethical review into product and process development. The Business Ethics Resource Center frames compliance as a competitive distinction rather than a cost center. The six ethical lenses the Center uses, rights, justice, utilitarian, common good, virtue, and care ethics, function as audit filters that complement the cardinal virtue framework when decisions require multi-stakeholder analysis. These are not competing systems. They are compatible tools for the same purpose: building organizations that make sound ethical decisions reliably, not occasionally.
What’s Next
Technical skills earned your seat at the GRC table. Character determines how long you stay, and how much value you create while you are there.
This week, pick one virtue. Not the strongest one. The one you most need to develop.
Watch for situations that require it. Notice your response. After the moment passes, ask:
- Did prudence guide my judgment, or did I default to the comfortable rating?
- Did justice shape my process, or did relationships influence my conclusions?
- Did fortitude sustain my escalation, or did I soften the finding to preserve a relationship?
- Did temperance calibrate my scope, or did I pursue thoroughness at the expense of clarity?
This is how virtue develops. Not through resolution. Through repeated, examined practice.
The frameworks you implement are only as strong as the character of the people implementing them.
That starts with you.
Sources and Further Reading
Primary Standards and Regulatory Sources
| Source | Purpose | Relevant Section |
|---|---|---|
| NIST SP 800-30 Rev. 1 | Guide for Conducting Risk Assessments; the foundational document for Prudence’s control mapping | Chapter 3 (Risk Assessment Process); Tables E-2 through E-5 (threat sources, threat events, vulnerabilities, likelihood and impact definitions) |
| NIST SP 800-61 Rev. 3 | Computer Security Incident Handling Guide; Fortitude’s incident response framework | Chapter 3 (Handling an Incident); Section 3.2 (Detection and Analysis); Section 3.3 (Containment, Eradication, and Recovery) |
| NIST SP 800-53 Rev. 5 | Security and Privacy Controls for Information Systems; Temperance’s data minimization controls | Appendix J (Privacy Control Catalog); Controls SI-12 (Information Management and Retention) and PL-8 (Security and Privacy Architectures) |
| ISO/IEC 27001:2022 | Information Security Management Standard; anchor for Justice and Temperance control mappings | Clause 6.1.2 (Information security risk assessment); Annex A Controls 5.15 (Access control), 5.19 (Information security in supplier relationships), and 5.9 (Inventory of information and other associated assets) |
| ISO 22301:2019 | Business Continuity Management; Fortitude’s organizational resilience standard | Clause 8.2 (Business impact analysis and risk assessment); Clause 8.3 (Business continuity strategies and solutions); Clause 9.1 (Monitoring, measurement, analysis, and evaluation) |
| SEC Cybersecurity Disclosure Rules (2023) | Final rules on material incident reporting and annual governance disclosure | Item 1.05 of Form 8-K (four-business-day incident disclosure); 17 CFR 229.106 (annual risk management and governance disclosure) |
| SOX Sections 302 and 906 | Executive certification requirements underpinning regulatory honesty obligations | Section 302 (Corporate responsibility for financial reports); Section 906 (Criminal penalties for certifying misleading financial reports) |
Professional Frameworks and Associations
Ethics and Applied Philosophy
| Source | Purpose | Relevant Section |
|---|---|---|
| Markkula Center for Applied Ethics — SCU | Six ethical lenses, five-step decision framework, Ethics Cases, and Culture Self-Assessment | Homepage links to all subsections below; use as the entry point for further navigation |
| A Framework for Ethical Decision Making | Direct source for the five-step protocol integrated into “Putting the Framework to Work” | The five steps and six ethical lenses are presented in full on this single page |
| ITEC Operational Roadmap | SCU-Vatican collaboration on ethical governance of AI, encryption, and tracking | The Ethics in the Age of Disruptive Technologies handbook; download available from this page |
| Ethics by Design — Culture Management | Culture Self-Assessment tool referenced in the organizational assessment section | Culture Self-Assessment Practice Process Design; the six methods for leading organizations to ethical outcomes |
| Markkula Center: Ethics Cases | Scenario training library used in the Fortitude section | Search “Make Waves or Go With the Flow” and “Speak Up or Stay Silent” directly within this library |
| Markkula Center: Internet Ethics | Source for the “If you can’t secure it, don’t connect it” mantra applied in Temperance | IoT governance and vulnerability disclosure case studies; the mantra appears in the cybersecurity ethics materials |
For Further Reading
| Source | Purpose | Relevant Section |
|---|---|---|
| EU AI Act (2024) | Regulatory context for technology ethics and GRC future-proofing | Articles 9 through 15 (risk management requirements for high-risk AI systems) |
| GDPR (Regulation EU 2016/679) | Rights Lens application to data privacy governance | Article 5 (Principles relating to processing of personal data); Article 25 (Data protection by design and by default; the data minimization requirement) |
| SEC Whistleblower Program Annual Report | Data on retaliation as a barrier to reporting, relevant to Fortitude | Annual report statistics on retaliation-related complaints and award determinations; available as a downloadable PDF from this page |
Leave a Reply