Professional Documents
Culture Documents
net/publication/242344966
CITATIONS READS
228 5,819
1 author:
Michael Power
The London School of Economics and Political Science
96 PUBLICATIONS 7,931 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Michael Power on 27 February 2014.
b
Centre for
Business
Performance
Thought
leadership
from the
Institute…
The Centre for Business Performance If you would like to know more about
the Institute’s leading-edge activities,
sponsors and promotes leading-edge please contact:
research on performance-related Centre for Business Performance,
Chartered Accountants’ Hall,
issues of immediate and long-term Moorgate Place,
importance to the business community. London EC2P 2BJ
Its goal is to advance thinking and Fax: 020 7638 6009
Tel: 020 7920 8634
practice related to performance
Website: www.icaew.co.uk/centre
enhancement and value creation and
Email: centre@icaew.co.uk
to encourage discussion of new ideas
by directors, entrepreneurs and others
b
Centre for
Business
Performance
Thought
leadership
from the
Institute…
TECPLM3249 7/04
Briefing
The Risk Management of Everything
This Briefing is based on the 6th P D Leake Lecture
at Chartered Accountants’ Hall by Michael Power,
23 June 2004
1
I recently decided that there was no longer space to store 20 years
worth of Accountancy and Accountancy Age. Prior to disposal
I reviewed all the back issues for articles of particular note worth saving.
In the course of this process, a number of things were striking. First,
articles on financial reporting were conspicuous in the 1980s, but in
the 1990s it was auditing which seemed to be the main object of
discussion. Second, risk and risk management begin to receive regular
exposure only from about the mid-1990s onwards. In particular, the
late 1990s reveal increasing commentary on practice management
and risks to professional partnerships.
This review was not a formal content granted a monopoly over work regarded
analysis and the observations are as essential to the risk management of
impressionistic. However, the recent the corporate economy, namely
accent on risk management by auditing, may be becoming preoccupied
accountancy practices provides the with risks to itself. However, this is
point of departure for this lecture. much more than an accountancy-
centred story of the problems created
The audit risk model, as an idea if not by the liability law, as some would
a concrete practice, can be traced back argue. It is systematic, cross-functional
to the 1980s. In time this developed and concerns many other agents and
as Business Risk Auditing (BRA) with agencies in society. Indeed, society is
different firms offering proprietorial facing a major challenge, whereby those
variations on the same theme. agencies traditionally charged with
Of particular interest in this handling (pooling, collectivising,
methodological development is the reporting) primary risks on behalf of
manner in which ‘audit risk’, originally others, such as professions, insurers and
conceived in terms of the risks of client government, are focusing increasingly
business (sub-analysed into control risk on their own risks with a view to
and inherent risk) and the risks of the avoiding responsibility, blame and
audit process (sub-analysed as sampling financial penalty.
and non-sampling risk), came to be
understood to include the risks to the This is the problem underlying the idea
auditor him/herself. In short the of ‘the risk management of everything’,
primary risk, that the financial namely that there is an ongoing shift in
statements are materially misstated, has society in the balance between primary
come to be thought of also in terms of and secondary risk management, with
a secondary risk, the risk of financial and a marked growth in the latter.
reputational losses to auditors
themselves. There is no doubt that risk talk and
ideas of risk management have become
Recent professional preoccupations with more prominent in recent years.
practice management, quality control Specifically, since 1995, the year that
and client selection processes are a Barings bank collapsed and Shell
further reflection of this. Changes in experienced reputational damage with
the regulatory environment for the the disposal of Brent Spar in the North
accountancy profession, the emergence Sea, there has been a literature and
of the corporate governance codes, new conference explosion in the risk
areas of work driven by new legislation, management area. New journals have
and the liability environment, all make been created and old journals have
the focus on secondary risk been renamed to include the word
management very understandable and ‘risk.’ Numerous texts book have
rational at the level of the individual been written on risk management,
firm or practitioner. At the macro or particularly on new objects of concern
systemic level there is more cause for such as ‘operational risk’ and
concern. The accountancy profession reputational risk. Regulatory changes,
as a whole, which has historically been notably the Basel 2 proposals for banks,
2
have provided a further stimulus to the turning organisations ‘inside out’ and
risk management industry and in many of making their risk-based internal
organisations senior risk positions, like control systems a public and potential
chief risk officers, have been created. disclosable matter as never before. This
In the UK public sector, central process has been under construction
government has undertaken a major for some time. In the USA, the COSO
risk management initiative and risk framework in the early 1990s provided
is becoming a basis for challenging a conceptual framework for internal
the quality of public services. control and is now being remodelled
as an enterprise risk management
Over this period the quantitative template. The Sarbanes-Oxley Act
expansion of risk management has section 404 takes the public focus
been accompanied by very important on internal control to the next level.
qualitative changes, notably the Directors of the Securities and Exchange
alignment of risk management with Commission (SEC) registrant companies
good governance agendas. In addition, will be required to evaluate the
there has been much talk of the effectiveness of internal controls
strategic benefits to organisations relating to financial reporting, and
resulting from more explicit risk auditors are required to certify the
management. process by which directors arrive at this
evaluation and to provide an opinion
This lecture strikes a more critical on effectiveness itself. At a seminar in
tone and argues that the rise of risk Spring 2004, it was reported that the
management has been characterised SEC expects 20 per cent of the s404
by an increasing accent on risk audit opinions to be qualified in
management for defensive and some way.
secondary risk management purposes,
and that this shift in focus may in fact Reporting on internal control
pose very serious risks to society. effectiveness has always been
problematic, and has been discussed in
The argument begins in the very the UK throughout the 1990s since the
heartland of accountants and auditors: original corporate governance code was
internal control. created. While auditors have privately
developed a basis for assessing internal
The rise of internal control controls, to determine the extent of
Six years ago in 1998 I gave the first substantive tests, and have been active
P D Leake lecture on the theme of The in reporting on control issues to
audit implosion: regulating risk from the management, the public reporting
inside which anticipated the growing of internal control effectiveness has
importance of internal auditors and proved problematic. Effectiveness is
organisational internal control systems. itself elusive and auditors remain
Since then, the Turnbull report has hesitant about giving public opinions
become a blueprint for thinking in in this and other areas because of
the UK, expanding its influence well liability concerns. The historical
beyond the intended private sector tendency is for auditors to give
audience to become a generic opinions on management processes,
conceptual framework for internal so the advent of s404 reporting will be
control and risk management. In challenging and will mark a new phase
addition, internal control has been in the public life of private control.
elevated from its lowly and private
organisational position to become The rise of internal control systems
the basis for enterprise-wide risk and their increasingly public role can
management thinking, for risk-based be explained by a number of factors.
regulation, and for accountability and First, organisations have come to
governance. In short, internal control recognize the self-insurance aspects
is now an unshakeable part of the of good internal controls as a basis for
moral economy of organisations in reducing and rationalizing insurance.
which specific responsibilities for Second, internal control systems have
different categories of risk are allocated. become central to regulatory strategies,
such as Basel 2, concerned to work with
This transformation in the status and the grain of organisations’ own systems.
scope of internal control is a project of Third, the rise of internal control is
3
symptomatic of an institutionalised the handling of the foot and mouth
mode of responding to crisis and failure crisis in the public health domain, and
by extending the formalisation of project and systems failures, such as in
reporting and control functions. the UK passport office. In recent years
Sarbanes-Oxley is a classic example of state sector organisations have begun
this as a response to Enron and other to import and implement risk
high profile failures. More generally, management ideas and blueprints
we observe that a whole spectrum from the private sector. There is an
of difficult primary risk issues get observable ‘Turnbull effect’ in schools,
translated into problems of universities, hospitals and charities, and
organisational control systems. These financial and project risk management
organisational translations of risk are has become an important feature of
to be seen in the cases of BSE and farm private-public partnerships.
management systems; the Shipman
murders and registration and Two areas where the state as risk
monitoring systems for doctors in manager is most evident are the
the UK; earthquakes and building emphasis on risk communication and
regulation controls; terrorism and the the development of explicitly risk-based
organisation of security services. regulatory systems.
4
unique to the problems of auditors. Executive, and the Healthcare
Such gaps can be managed with Commission are examples, and there
strategies to change the performance are many others. Indeed, the growth
dimension of the gap. Alternatively, of such agencies, particularly in the
or in addition, an attempt can be made wake of the privatisation of many
to change the expectations dimension utilities, is said to characterise the
of the gap, i.e. to ‘educate’ and UK ‘regulatory state’.
enfranchise relevant publics via risk
communication and participative Some of these agencies have recently
schemes. become more explicit about having
a risk-based approach to regulation.
An important feature of risk The principle is that an ongoing risk
management and this accent on assessment of regulated entities will
risk communication in the domain enable resources to be directed to areas
of public policy is the management where they are most relevant and where
of reputational or political risk to risks are deemed to be higher.
government. Another way of putting Organisations with risk management
this is to suggest that, while and control systems regarded as
government and its agencies, such effective i.e., those whose process of
as the Department of Health, certainly self-control are good, can be regarded
focus great efforts on first order risks to as low risk and subject to a moderated
the public associated with, say, mobile regime of inspection and enquiry. The
phone radiation and food quality, there operating philosophy of the UK FSA
are also more conspicuous strategies to clearly reflects this. Risk-based
manage reputation by avoiding the regulation also provides the basis for a
potential for blame. common language between regulator
and regulated, even to the extent that
One potentially important aspect of the two become more similar in their
risk communication concerns the very formal structure (‘isomorphism’).
concept of ‘risk’ itself which, though
subject to different definitions, implies Some regulators are making increasingly
the ex ante possibility that things can go explicit claims that risk-based regulation
wrong or not turn out as expected. This means that regulation is not an
is relevant to the second public policy insurance process, that things can go
theme in risk management – risk-based wrong and that such agencies cannot
regulation. be a priori responsible for every possible
failure. Being public about this meaning
Risk-based regulation of risk is a kind of reputation
It is now well known that there has management strategy, an effort to
been a profound shift in ideas about displace an apparent public expectation
regulation in the last 20 years or so. of zero-failure, exacerbated by political
Regulatory systems increasingly seek discourses of zero-tolerance.
to work with the grain of organisational
control practices, enlisting them in the Here the politics of risk becomes
regulatory process and preferring to complicated. On the one hand events
establish broad frameworks rather than like the demise of Equitable Life might
detailed rules. The Company Law be regarded as tolerable from a
review in the UK has this ambition. statistical or systemic point of view,
This approach has the merit of being but is experienced by large numbers
efficient and cost-effective and gives of people as catastrophic. So whatever
regulatory processes a legitimacy that ex ante risk-based communicative
an older command and control style strategy is adopted for reputation
may have lacked. Organisational management purposes, ex post it will
internal control systems are an essential remain difficult to control public
feature of this style of regulation, its responses because crises are
mirror image at the organisation level. distributional and impact on some
people more than others. Despite this,
States have created a number of distinct reputation management has emerged
agencies to regulate specific functional as an ambition to control such public
areas. In the UK the Financial Services responses.
Authority (FSA), The Food Standards
Agency, the Health and Safety
5
Reputational risk While organisations can do much
Most businesspersons today, when themselves to mitigate these secondary
asked about the risk which worries or reputational risks, they remain
them most, will often mention hostage to the institutional
reputation. Yet the idea and practice environment in which they operate.
of reputation management is itself very Effort is being expended on external
young, created in the wake of Shell’s stakeholder and relationship
experience of attempting to dispose of management, including the
Brent Spar in the North Sea in 1995. development of strategic partnerships.
In an orchestrated campaign against From this point of view, the current
the company, stations were boycotted, interest in Corporate Social
particularly in Germany, and there was Responsibility (CSR) can be argued
resulting economic loss. In response the to be a defensive strategy; CSR is simply
company undertook a sweeping subsumed within reputation risk
internal review. Sea-based disposal of management.
the old unit was calculated to be the
least environmental harmful option, If everything can potentially
but Shell had failed to communicate threaten reputation, then reputation
this to the public and to relevant risk demands the management of
interest groups. everything.
7
internally legalised organisational concern with reputational risk leads
environment. Legalisation does not to a loss of materiality as categories
mean the law literally but the process of control become more fine-grained.
by which a distinctive style of rule Indeed, as professional service firms
making pervades organisational life. and professions more generally apply
From this point of view, the formal these ideas to themselves, they become
difference between laws, voluntary potentially inward-looking and
codes and in-house procedures matter preoccupied with secondary risk.
very little; what matters is their effects.
Indeed, it can be argued that many The role of professional judgement
organisations, and perhaps accounting in society as a whole, not just that
firms too, internally amplify imagined of accountants, is threatened by these
legal risks with internal processes effects. An implicit contract exists
which systematically build in forms between society and expert
of caution, and which create incentives occupations. In return for monopoly
for responsibility avoidance via formal rights over areas of work, risky but
modes of compliance. There is a necessary judgments are made for the
vicious circle linking the multiplication greater good. These are judgments
of rules to rule-like actor mentalities. which could be made reasonably at
Risk management systems ‘hard-wire’ one time, but might in retrospect turn
defensiveness in organisations but this out to be wrong. Today, this sense of
is not to be identified simply with risk reasonable judgement is subject to
aversity. Systems may well affect risk increasing pressure from a legalised
appetite, but it is only necessary to environment, referred to variously as
say that they enable responsibility the ‘consumer movement’, the ‘human
avoidance, whereby agents allocate rights culture’ and the ‘compensation
more non-productive time to culture’. While such external pressures
managing the secondary risk of adverse play a role in assuring the quality of
outcomes. professional services, by providing a
point of challenge and potential
If the 1980s was the decade of sanction, there is also a growing sense
intensifying external accountability that the defensive investments they
for organisations, the 1990s and the trigger are out of control.
corporate governance revolution added
pressures for greater internal Take the recent money laundering
accountability, facilitated by an regulations in the UK. The press
internal control system which is also anticipates a wave of ‘defensive’
a responsibility allocation system. Risk reporting to the National Criminal
management is largely an extension Intelligence Service (NCIS) by
of this trend. A form of hyper-internal accountants and lawyers, managing
control amplifies the time and attention their own risks in relation to the
spent on secondary risk management legislation. In the university sector,
by organisational actors and student references have become more
professional agents in a climate of anodyne and less informative over the
heightened expectation. Typically, years (more like audit reports?). As a
as process becomes more finely consequence, such references have
grained, individuals are increasingly become devalued and employers
concerned with the risks of being seen recruit ‘employment risk management’
not to comply with the system, as well consultants to do searches. So a risk
as with managing first order risk in industry feeds on the consequences
a visible way. However, they are of secondary risk management.
increasingly distracted from first order
risk issues and get socialized into a If we look at the regulations which
certain way of thinking about the pervade organisational life, they are
organisation. If one has any doubts all individually reasonable. But they
on this matter, ask the question: what all demand systems of internal control
assumptions about human nature to demonstrate visible compliance, and
underlie the Sarbanes-Oxley act? their collective effect is to force
opinion formation underground or to
At worst, risk management based make it only visible in coded form
internal control threatens to imprison accompanied by complex disclaimers.
organisational thinking. The fearful
8
Individual teachers, accountants, emphasis. It is also to do with problems
lawyers or doctors cannot be blamed of political culture, and the failure to
for this state of affairs. Far from it; it is develop a politics of uncertainty in
completely rational to invest in which failure can be openly spoken of
secondary risk management strategies both ex ante as possible and ex post as
to avoid blame for downside outcomes. not always blameworthy.
The problem is systematic and therefore
much more serious. A ‘morally thin’ Assuming the above analysis strikes
environment is being created which, some chords in the world of practice,
despite much talk of the ‘opportunity’ what might be done about it? As far as
inherent in the new risk management accountancy is concerned, we stand
and the Sarbanes-Oxley requirements, on threshold of some critical
is profoundly damaging to professional developments. Expectations seem to
cultures. Whatever critique might be high, maybe too high, that the new
mounted about those cultures, such OFR will provide a disclosure vehicle
as their historical lack of accountability, capable of satisfying analyst demands
it remains true that all individuals in for information about strategy and risk,
society need, at crucial times and and social demands for information
without hesitation, to trust professional relevant to wider corporate
judgement, whether that of a tax responsibility. In addition, the
adviser or a doctor. That need is requirements of Sarbanes-Oxley section
frustrated when those same 404 will begin to bite for some
professionals, including politicians, companies, although this is likely to
appear to be preoccupied to a great become diffused as a standard for non-
extent with their own risk. The risk SEC registrant entities as well, rather
management of everything, and the in the way of ISO 9000. The Turnbull
rise of hyper-internal control, is a report will be reviewed and the FSA
symptom of a profound crisis in our proposes a new form of auditor
trust in informed but necessarily reporting for the combined code.
imperfect judgement.
In the current environment, it is only
Conclusions and too easy to predict what may happen.
recommendations Reports by auditors and others will
It has been suggested that a certain kind default to a standardized form with
of secondary or reputational risk defensive, uninformative wording.
management increasingly pervades Liability is often regarded as the main
organisational life at all levels of society. culprit for this, but this is doubtful.
A growing activism and individualism A change in liability law for auditors
in the environments of organisations, might have an effect over the long
amplified by political pressures, has term, but the secondary risk
resulted in an intensification of internal management practices of many
control practices. From this broad point individuals and organisations are now
of view, despite the positive talk, the part of their operating culture. A change
new wave of risk management can be in the law would provide but a small
regarded as a defensive reaction to an dent in this. Furthermore, excessive
increasingly demanding environment. lobbying for law reform may also
Professionals will argue that that the damage reputation.
law, an aggressive media and an over-
responsive political system are at the The challenge is daunting, because
centre of this story. Certainly, the free it is not rational for any individual,
press and media, core institutions of organisation or professional institute to
liberal democracies, are not without initiate changes on its own. But this in
reputational issues of their own in early effect is what will need to happen, with
2004, but they remain a powerful political support. The challenge of the
conduit for secondary risks to risk management of everything is to roll
organisations. back the culture of secondary risk
management before it consumes
The risk management of everything is organisational life. This effort will need
not simply to be discussed at the level to be conducted at two levels: risk
of the effects of organisational internal management practice and political
controls, although this is where the discourse.
current discussion has laid most
9
At the level of risk management professional opinions of all kinds are
practice, the need is for an ‘intelligent’ offered, an understanding grounded
risk management which is not control in a political culture which tolerates
obsessed and which has a second order uncertainty rather than the depressing
capacity to observe and challenge the ubiquity of disclaimer paragraphs. In
effects of the internal control system this world, technical reform of liability
itself. Some organisations will say they law might take place, but it would have
already have this intelligence. It is a to be part of a larger shift in political
capacity to challenge the, often very consensus, a shift in which professional
ideal, organisational models and institutes, and corporate and political
assumptions inherent in risk leaders would need to play a part.
management standards and the systems
whose design they inform. It is also a These suggestions may seem very
capacity to avoid being swept away by idealistic, and they are no doubt
regulatory programmes – very difficult underdeveloped and incomplete.
given the wave of recent initiatives in But the stakes are high. The possible
the corporate world. In addition, there consequence of the risk management
is a need to nurture no-blame internal of everything may be nothing less than
organisational environments. the retreat of socially valuable
intelligence from the public domain.
There is nothing very original about In this lecture I have tried to suggest
these suggestions, but they would that the problem is reflected in, but is
require all organisations to develop much wider than, the position in which
operating philosophies of auditors presently find themselves.
experimentation rather than compliance. Indeed, society is in a bizarre
From this point of view scenario predicament. Never before has there
analysis has value to stimulate the been such a need for considered expert
imagination of possible alternatives opinion in so many fields of social and
to the present, rather than as a method economic life. And yet are we not
of prediction. designing institutions and risk
management practices whose effect is
At a more systemic or political level to frustrate that need?
a new politics of risk is required. An
older politics of risk sought to challenge An expanded version of the arguments
expert judgement, particularly that in this lecture is to found in The Risk
of scientists, by increasing public Management of Everything: Rethinking
participation in risk management the Politics of Uncertainty by M Power
processes. A new politics is required (London: Demos, 2004). Available from
which restores trust in expertise and www.demos.co.uk.
which re-enlists honest professional
judgement in the public domain. The
creation of safe havens for judgement
does not mean making professionals
non-accountable. Rather, it is to have
public recognition of the essential
dependence of society on that
judgement even when failure is
possible. A more differentiated public
concept of failure would restore to the
very centre of its legal and conceptual
framework the idea of reasonable
judgement which might in retrospect
prove to be mistaken.
Author’s acknowledgements
I am grateful to the Trustees of the P D Leake Trust and to the
Institute of Chartered Accountants in England & Wales, for financial
support. The views expressed are my own and do not necessarily
reflect those of the ICAEW.
Chartered Accountants’ Hall PO Box 433 Moorgate Place London EC2P 2BJ
Tel 020 7920 8100 Fax 020 7638 6009 www.icaew.co.uk