Continuing research by the Strategic Risk Management Lab at DePaul University’s Kellstadt Graduate School of Business studies how companies develop strategies to create long-term sustainable value based on positive risk governance focused on creating and protecting value. This research includes studying leading practices in risk governance, such as Lockheed Martin’s coordinated governance of enterprise risk management (ERM) and sustainability, and its focus on ethics for positive risk management. Lockheed Martin practices have evolved the governance of ERM and sustainability with an ethics-oriented mindset.


Mark L. Frigo and Christopher A. Geiger, Lockheed Martin’s vice president of internal audit and ERM, discuss how CFOs, finance organizations, and boards can take a leadership role in establishing and supporting ethics-driven risk governance focused on creating and protecting long-term value.


Evolution of Ethics and Enterprise Assurance


Lockheed Martin’s Ethics and Enterprise Assurance (EEA) division started from Ethics and Business Conduct, which administers a long-standing ethics program based on the company’s core values: Do what’s right, respect others, and perform with excellence. In 2011, a sustainability organization was formalized to develop Lockheed Martin’s sustainability strategy and conduct related reporting. This new sustainability organization joined Ethics and Business Conduct to create Ethics and Sustainability. In 2017, internal audit and ERM were incorporated to create Internal Audit, Ethics, and Sustainability. In 2018, environment, safety, and health (ESH) and health and wellness joined the organization, and a new overarching and succinct name was required for the combined organization (see Figure 1).





Ethics and Enterprise Assurance has been the name of the department ever since. It relays the centrality of ethics and the role that all of the subfunctions play in assuring the corporation addresses relevant risks. It also serves to reinforce the commitment to integrity and a speak-up culture.


Part 1: Ethics-Driven Risk Governance


Research on high-performance companies shows a distinct focus on being ethics-driven. High performance companies adhere to Tenet 1, “Ethically Maximize Wealth,” in the Return Driven Strategy framework, creating long-term sustainable value in the process. “Ethically” means closely adhering to the ethical values of the stakeholders of a company as the stakeholders define them and awareness of how the ethical values of stakeholders are changing.


Mark L. Frigo: One of the distinguishing features of the Lockheed Martin EEA organization’s risk governance is its focus on ethics. Please describe how ethics became a driving force for risk governance at Lockheed Martin.


Christopher A. Geiger: Lockheed Martin is a mission-oriented global security and aerospace company focused on ensuring those we serve always stay ahead of ready (as described in Figure 2).





Lockheed Martin’s ethics program and training support this mission through our values-based principles governing employee behaviors, conduct, and decision making. When business operations are built on a foundation of integrity, employees rely on trust and transparency to speak up and help identify and address risks. Our ERM supports the mission by identifying and treating potential material issues to the company’s strategy. Essentially ethics is values risk governance, and ERM is strategy risk governance. They’re both required for the long-term, purpose-driven sustainability of the company.


When seen in this light, ethics is a natural foundation for overall corporate risk governance. Over the past 12 years, our EEA organization developed from an ethics and business conduct foundation to an expanded assurance function that also encompasses internal audit, ERM, environment, safety, health, and sustainability. Maintaining ethics at the core of EEA keeps the risk governance processes grounded. From the perspective of internal audit and ERM, I can vouch for the benefits of operating in an explicitly ethics-based function as it provides a clear focus on long-term corporate value rather than purely near-term financial goals.


In addition to our company’s ethics foundation, there’s the wider mandate from the COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM framework’s number-one principle, “The organization demonstrates commitment to integrity and ethical values.” An ERM or compliance program that isn’t rooted in ethics is likely to miss some of the most important potential issues. Similarly, a rules-based ERM program likely devolves into a box-checking exercise. The COSO ERM framework advocates a long-term-value-focused ERM program with a principles-based approach and a clear connection to the purpose of the organization.


A practical example of the benefits of EEA collaboration is the ongoing partnership between ethics and internal audit on special projects. Internal audit contributes technical subject-matter expertise—such as accounting—and ethics contributes investigative and employee conduct expertise. Together we’re able to best adjudicate potential corporate risks that entwine ethical and technical aspects.


MLF: Lockheed Martin’s clear focus on “long-term corporate value rather than purely near-term financial goals” is representative of high-performance companies that create superior and sustainable value creation. The view of ethics as “values risk governance” and ERM as “strategy risk governance” is a useful way to communicate the relationship between ethics and ERM toward achieving long-term, purpose-driven sustainability.


Part 2: Sustainability and ESG


Continuing research on high-performance companies in the Return Driven Strategy initiative shows a “vigilance to forces of change and an ability to manage both the risks and opportunities driven by those forces of change better than other companies. Today, sustainability and environmental, social, and governance (ESG) represent significant forces of change that need to be integrated into companies’ risk governance.”


MLF: Please describe how sustainability and ESG are integrated in risk governance at Lockheed Martin.


CAG: In 2017, Lockheed Martin integrated our sustainability and ERM functions. This benefited the operations of both disciplines and also enhanced related communication with management and the board of directors. Sustainability incorporated some of ERM’s process rigor in analyses such as the climate work that evolved into our Task Force for Climate-related Financial Disclosures reporting. ERM moved to link enterprise risks and compliance risks to associated sustainability issues to ensure action plans were aligned and nonduplicative.


On the governance front, we’ve also strengthened the connection between ERM and sustainability. We leveraged our risk and compliance committee (RCC) to serve as a forum for business area and corporate functional representatives to review and guide enterprise sustainability initiatives and provide input to related plans. This facilitates the RCC having a greater time horizon beyond the short and medium term. Another way sustainability governance is integrated into wider corporate governance is using the same corporate disclosures and control committee (DCC) to review public sustainability disclosures as we do for public financial disclosures. Figure 3 shows an example of ESG risk and SEC [U.S. Securities & Exchange Commission] disclosure coverage.




MLF: Integrating sustainability in ERM and leveraging the RCC provide a useful way to review and guide enterprise sustainability initiatives and guide actions toward long-term value creation. Integrating sustainability governance using the corporate DCC to review public sustainability disclosures and public financial disclosures is another leading practice other companies can adopt.


A recent SEC disclosure requirement for SEC cybersecurity risk disclosures starts on December 18, 2023. The approach used at Lockheed Martin provides a proactive and strategic way for these public disclosures on cybersecurity risks.


Part 3: Cybersecurity and ESG


At Lockheed Martin, cybersecurity is considered in an ESG context. This is done by viewing cybersecurity as an element of ESG, referred to as “digital responsibility,” which includes AI, data privacy and protection, and intellectual property rights.


MLF: A previous article in this series, Strategic Management of Cybersecurity Risks, discussed how to use the COSO Strategic Risk Assessment process for assessing and managing cybersecurity risks. The Lockheed Martin EEA program for risk governance integrates sustainability and ESG into the program. Please describe how cybersecurity as an element of ESG is integrated in risk governance at Lockheed Martin.


CAG: Lockheed Martin develops our sustainability management plan and associated goals from a periodic core issues assessment. When we conduct our assessment, we include internal and external stakeholders and consider potential issues that may affect Lockheed Martin’s long-term sustainability, including issues that extend beyond traditional ESG elements.


During our most recent core issues assessment, we developed “elevating digital responsibility” as one of the four priority areas with issues including AI, data privacy and protection, and intellectual property rights. We release public goals to advance progress in these areas.


The sustainability core issues assessment results, goals, and progress are all inputs to our EEA comprehensive risk universe. Internal audit and ERM use this information to inform the internal audit plan, compliance risk assessments, and the emerging risk program. A good example of how this work relates to ethics in AI: Our “elevating digital responsibility” priority area includes ethics in AI as one of 13 core issues. The public goal associated with this issue relates to training developers in ethical AI system engineering approaches. In addition, internal risk governance actions included the release of an ethical AI policy and ERM including AI governance in their next compliance risk assessment.


MLF: The consideration of potential issues that may affect Lockheed Martin’s long-term sustainability, including issues that extend beyond traditional ESG elements, as one of the four priority areas is a useful way to elevate cybersecurity as a core strategic issue.


Part 4: Sustainability and ERM


In this section, we discuss the relationship between sustainability and ERM at Lockheed Martin.


MLF: A previous article in this series, Sustainability for Long-Term Value Creation, discussed how to use the COSO Strategic Risk Assessment process for assessing and managing sustainability risks and opportunities. The Lockheed Martin EEA program for risk governance integrates sustainability into the program. Please describe how Lockheed Martin reflects the COSO Strategic Risk Assessment process in its risk governance.


CAG: The COSO internal control components of the Strategic Risk Assessment process—control environment, risk assessment, control activities, information and communication, and monitoring activities—are a structured way to mainstream risk governance into normal business operations. I find COSO helps to maintain risk governance’s focus on the organizational strategy.


Similarly, our sustainability programs have benefited from the continual evolution of our risk-based approach. Lockheed Martin’s early sustainability efforts were governed by a bespoke governance structure at the executive leadership level. As our sustainability programs and focus evolved, we now incorporate sustainability into the overall strategic and risk management focus of our executive leadership team. In addition, we continue to mature the alignment of our sustainability and ERM management processes such as through the risk and compliance committee where all enterprise risk topics are regularly monitored.


Taking a wider view, both sustainability and ERM rely on a foundation of ethics. At Lockheed Martin, we’ve coalesced many risk, compliance, and assurance functions in an organization founded on ethics. This organizational structure may not be traditional in corporate America, but COSO includes “commitment to integrity and ethical values” as Principle #1 falls under the internal controls component. We’ve proven that maintaining focus on COSO Principle #1 aligns risk management and sustainability with organizational long-term value and growth.


MLF: The focus on COSO Principle #1 is a useful way to align risk management with long-term value creation, an approach that other companies can adopt.


CFOs and finance organizations can take a leadership role in developing ethics-driven risk governance focused on creating and protecting long-term value by adapting the leading practices described in this article. This can include aligning and integrating your ethics and corporate purpose with ERM, cybersecurity, sustainability, and ESG; taking a strategic view of sustainability, ESG, and cybersecurity as long-term value creators; using a strategic risk-assessment process for sustainability and cybersecurity risks; and establishing ethics as a foundation for positive risk governance.



This article is part of the Creating Greater Long-Term Sustainable Value series in Strategic Finance launched by the October 2018 article Creating Greater Long-Term Sustainable Value, by Mark L. Frigo, with Dominic Barton.

About the Authors