Introduction

In contemporary organizations, characterized by increasing operational complexity and strong interconnection among processes, risk can no longer be interpreted solely as an external event or as the result of technical factors. A central element, often underestimated, lies in the internal decision-making dimension: organizations, in fact, do not act autonomously, but through the people who are part of them. Every company is composed of individuals — employees, managers, executives, and directors — who make decisions of varying nature and significance on a daily basis. While some choices remain confined to operational levels, others, typically adopted by top management, can produce significant effects on the entire organizational system and on relationships with the external environment.

It follows that the functioning of an organization largely depends on the quality of the decisions made within it. From this perspective, risk cannot be considered merely as an event, but must instead be interpreted as a process originating from decision-making.

Decision-Making as the Origin of Risk

Every decision represents a potential point of risk generation. When a choice is appropriate, coherent, and compliant with procedures, it contributes to the stability of the organizational system. Conversely, when a decision is made superficially, distortedly, or in violation of procedures, it may trigger significant consequences, potentially leading to unlawful conduct. From both a legal and organizational perspective, decision-making may stem from different causes:

• negligence, recklessness, or incompetence;
• intentional misconduct, when conduct is deliberately aimed at violating rules;
• unavoidable error, linked to informational or contextual limitations.

These categories highlight how risk cannot be attributed solely to structural deficiencies, but is deeply connected to the decision-making dimension and, therefore, to human behavior. In this sense, decision-making represents the moment in which risk begins to take shape from a latent possibility into a concrete reality.

The Behavioral Dimension of Risk

Understanding risk as the outcome of decision-making necessarily implies analyzing its behavioral dimension. Organizations operate in contexts characterized by uncertainty, time pressure, and informational complexity, in which decision-makers do not always possess all the necessary information or sufficient time for fully rational analysis. Under such conditions, the decision-making process inevitably departs from the model of perfect rationality traditionally underlying economic theory.

The studies of Daniel Kahneman, one of the leading figures in behavioral economics, profoundly redefined the interpretation of decision-making behavior. In particular, Kahneman emphasizes that choices result from the interaction between two cognitive systems:

• System 1, fast, intuitive, and automatic;
• System 2, slower, reflective, and analytical.

In organizational practice, especially under time constraints, performance pressure, and information overload, decision-making tends to be dominated by System 1. This reduces critical analysis capabilities and increases reliance on cognitive shortcuts. In this context, decision-makers are exposed to systematic distortions — such as overconfidence, confirmation bias, loss aversion, and anchoring — which affect not only the evaluation of alternatives but also the perception of risk itself. Risk, therefore, is not assessed objectively, but filtered through cognitive frameworks that may lead to its underestimation or overestimation.

This aspect becomes particularly relevant when considering the relationship between decision, event, and legal consequences. An intuitively made decision, lacking adequate reflection, may generate vulnerability; such vulnerability may translate into a harmful event; and the event, in turn, may constitute a regulatory violation or criminal offense. Thus emerges a genuine decision-making chain of risk:

decision → vulnerability → event → consequences

From this perspective, the behavioral dimension helps explain how risk is not an external element striking the organization, but rather a phenomenon generated within decision-making processes influenced by cognitive limitations, context, and organizational dynamics.

From Decision to Impact: The Propagation of Risk

Decisions made within organizations do not remain confined to the internal sphere, but can produce effects extending throughout the organizational system and often beyond it.

An incorrect or inadequately considered decision may trigger multiple consequences, generating interconnected forms of risk. In particular, decision-related risk may translate into:

• operational risk, affecting efficiency and the proper functioning of internal processes;
• compliance risk, connected to violations of laws, regulations, and procedures;
• financial risk, arising from economic losses, inefficiencies, or unsustainable decisions;
• reputational risk, affecting the trust of clients, stakeholders, and the market;
• cyber risk, linked to the compromise of systems, data, and digital infrastructures;
• environmental risk and occupational health and safety risk, impacting both the environment and worker integrity.

What emerges is the transversal and systemic nature of risk, which tends to propagate across functions, processes, and organizational levels.

An apparently isolated decision may therefore trigger a chain of effects, amplifying its impact over time. In some cases, such effects may prove difficult to reverse, as in the case of reputational damage or sensitive data loss.

From this perspective, decision-making represents a dynamic point of origin for risk, capable of generating consequences that extend beyond the individual act itself.

Indicators of Vulnerability: Decision-Making Red Flags

Within organizational decision-making processes, early warning signals frequently emerge, indicating the presence of vulnerability. These so-called red flags do not in themselves constitute evidence of wrongdoing, but rather represent indicators of risk situated in an intermediate phase between decision and event. Precisely because of this nature, they hold strategic value, as they allow organizations to intercept risk while it is still potential and therefore more manageable.

These indicators manifest through specific anomalies in decision-making processes, summarized as follows:

• Unjustified urgency: decisions requested under abnormal time pressure or without adequate justification
  → risk: decision-making errors and bypassing of controls
  → safeguard: verification of urgency and multi-level validation.
• Bypassing procedures: failure to comply with internal protocols
  → risk: non-compliance and potential misconduct
  → safeguard: process interruption and activation of internal audit.
• Excessive discretion: concentration of decision-making power in a single individual
  → risk: abuse or undetected error
  → safeguard: segregation of duties and dual control.
• Lack of traceability: absence of documentation regarding decisions and responsibilities
  → risk: opacity and inability to verify actions
  → safeguard: formalization and recording of decisions.
• Conflict of interest: interference, even potential, of personal interests in the decision-making process
  → risk: exposure to ethical and legal risks
  → safeguard: reporting systems and preventive management.
• Normalization of deviations: progressive acceptance of abnormal behavior as standard practice
  → risk: systemic risk
  → safeguard: process review and strengthening of organizational culture.

From a behavioral perspective, such anomalies should not be interpreted as isolated incidents, but as manifestations of deeper critical issues, often linked to operational pressure, cognitive distortions, or structural deficiencies in control systems. Their identification and proper interpretation therefore represent an essential step in strengthening prevention mechanisms and preventing vulnerability from evolving into a harmful event.

Prevention, Organizational Models, and Risk Management

In a context where the behavioral component makes risk inherently difficult to eliminate, organizations cannot respond through total control of individuals, but rather through the construction of systems capable of guiding, structuring, and containing decision-making processes.

In this regard, the Italian Legislative Decree 231/2001 represents one of the most relevant instruments for the prevention of corporate crime. It introduces the principle of corporate administrative liability, based on the concept of organizational fault, namely the organization’s capacity to adopt models suitable for preventing certain unlawful acts.

The Organization, Management, and Control Model (MOG) therefore functions not merely as a set of formal rules, but as a genuine risk governance system. Through the model, the organization can:

• identify areas exposed to criminal risk;
• analyze decision-making and operational processes;
• introduce protocols governing the formation and implementation of decisions;
• define roles, responsibilities, and information flows;
• establish monitoring and control systems.

A central element of the MOG consists of protocols and procedures, which do not merely regulate activities but directly influence the decision-making process. They establish who decides, at which stage, and according to which procedures, thereby reducing uncontrolled discretion and making decisions more traceable and verifiable.

In this sense, the MOG 231 performs a dual function: preventive, by reducing the likelihood that a decision results in unlawful conduct; and organizational, by structuring the context within which decisions are made.

However, the effectiveness of the model cannot be evaluated solely in formal terms. A MOG adopted but not effectively implemented risks losing its preventive function. Conversely, an effective model is one that integrates with organizational culture, influencing behavior and guiding the decisions of individuals operating within the entity.

Consequently, the MOG does not eliminate decision-related risk, but contributes to making it more predictable, controllable, and manageable by embedding decision-making within a structured system of rules, controls, and responsibilities.

Prevention and Management: An Integrated Approach to Risk

Managing decision-related risk requires an integrated approach based on two complementary dimensions: prevention and reactive capability.

Preventive measures are aimed at reducing the probability that a decision generates risk and are based on:

• mapping sensitive areas;
• defining protocols and procedures;
• segregation of duties;
• training and dissemination of risk culture.

These instruments help guide decision-makers’ behavior, reducing the likelihood of errors, deviations, or unlawful conduct.

Alongside prevention, however, the reactive and corrective dimension also plays a central role. This dimension intervenes once an error has already occurred and aims to contain and manage the impact of the event. It includes:

• timely detection of anomalies;
• risk containment and interruption of propagation;
• root-cause analysis, with particular attention to the decision-making process that generated the event;
• updating processes and procedures;
• training and organizational interventions designed to prevent recurrence.

Within this framework, risk management does not end with prevention, but is completed through the organization’s ability to react, adapt, and learn.

Error, therefore, does not represent merely a critical issue, but also an opportunity for improvement: through event analysis and process review, organizations can strengthen their control mechanisms and improve the quality of future decisions.

An effective organization, therefore, is not one that completely eliminates risk — an unrealistic objective — but one that can anticipate, contain, and transform risk into organizational learning.

Conclusions

Analyzing the behavioral dimension of risk allows us to move beyond a traditional perspective based exclusively on external or structural factors, recognizing instead the central role of internal decision-making processes.

In contemporary organizations, risk is not merely an isolated event, but a dynamic process originating in decisions and developing through human behavior. Decisions are never fully rational; they are influenced by cognitive limitations, operational context, and organizational dynamics.

This implies the need for a shift in perspective: it is no longer sufficient to design systems and controls; it becomes essential to understand, guide, and govern the decision-making processes underlying them.

From this standpoint, risk management necessarily assumes an integrated nature, balancing a preventive dimension — aimed at reducing the probability that risk emerges — with a reactive dimension — aimed at containing its effects and transforming it into organizational learning.

Risk, therefore, is not merely an event to be managed, but a process to be understood, monitored, and governed over time through organizational tools, decision-making safeguards, and adaptive capability. Because, ultimately, risk originates from decision-making, and decision-making is, inevitably, human.

Sources

• Thinking, Fast and Slow — Kahneman, D. (2011). Thinking, Fast and Slow. Farrar, Straus and Giroux.
• Organisation for Economic Co-operation and Development — OECD. (2017). Behavioural Insights and Public Policy: Lessons from Around the World. OECD Publishing.
• International Organization for Standardization — ISO. (2018). ISO 31000: Risk Management – Guidelines.
• Financial Action Task Force — FATF. (2023). International Standards on Combating Money Laundering and the Financing of Terrorism (FATF Recommendations).
• Legislative Decree 231/2001 — Italy. (2001). Legislative Decree No. 231 of 8 June 2001.

---

Silvia Cardaci holds a degree in Compliance, Business Development and Crime Prevention and is currently attending a master’s program in International Defense and Security Policy Analysis. Her academic interests focus on economic and financial crime, with particular attention to money laundering, terrorist financing, and emerging risks related to the digitalization of financial systems. Her analytical perspective also integrates the behavioral dimension of crime, based on the awareness that every offense is, first and foremost, an expression of human behavior.