Análisis inferencial

The previous three sections suggest that the idea of ERM is a hybrid of elements linked by a common ‘whole-of-organization’ risk approach over-seen by a new class of actors—CROs. Metrics based conceptions of ERM 86 / Organized Uncertainty

have been subsumed within reformist discourses focusing on internal control and quality management ideas. Risk management and internal control are understood as a process and this process in turn has come to be constitutive of good organizational governance and accountability. Not-withstanding the diVerent nuances of ERM, it has come to be a signiWcant regulatory resource in its various manifestations. For example, the COSO framework has come to play an important role for the Securities and Exchange Commission.

As governance discourses and ideas have swept through central and local government organizations, business risk management ideas have been grafted on to internal control frameworks for public bodies. In the United Kingdom, there has been a speciWc change programme to this eVect led by a central government which is ‘currently awash with initiatives to promote risk management’ (Black, 2005: 512). ERM ideas, as expressed in the UK Turnbull Report, have come to be part of a public change programme not dissimilar in scope to the collection of neoliberal ideas embodied in the

‘new public management’. Public organizations must internalize a model of business risk assessment which demands that risks to strategy are considered.

As Black puts it, this is now the new public risk management. Risk is becoming the organizing principle for change and challenge in public services, a development which merits further examination from public administration scholars.21 An important subset of public bodies where such changes are particularly pertinent are regulatory organizations themselves; risk manage-ment is becoming part of the rules for being a ‘good’ state regulator (Marcussen, 2000).

As discussed above and in Chapter 2, a family of convergent regulatory strategies now demands explicit articulation and proof of internal control and risk management systems. From this point of view, ERM in all its variety is a potential regulatory resource and a basis for regulatory oversight or meta-regulation. However, the emergence of control-based and business risk management standards like Turnbull and COSO has also come to inXuence the framing of the architecture of regulation itself. Thus, one of the more profound aspects of the organizational signiWcance of risk management is now evident in the widespread diVusion of the idea that regulatory practices of many diVerent kinds must be ‘risk-based’ and must import the language and concepts of risk management standards to do this. From being a regulatory resource, ERM has been transformed into a model of regulatory Standardizing Risk Management / 87

process itself. ERM has become part of reformist discourses for regulators themselves, informing conceptions of what good regulatory process should look like (e.g., IOSCO, 1998).22

To grasp this development, it is necessary to understand the number and variety of regulatory bodies to manage risks to the public in the UK. A recent report lists 63 national bodies (HM Treasury, 2005) and Hood et al.

(2001) have identiWed critical sources of diversity in risk regulation. In the broadest terms, each regulatory body has its own methodologies for data gathering and has always been ‘risk-based’ in the sense of employing dedi-cated risk analysts, many of whom would have relevant scientiWc training in speciWc risk techniques (Black, 2005: 516; Rothstein et al., 2006b). So the pressure for change being described here is less directly to do with these diVerent forms of technical risk analysis in themselves, and more to do with demands for greater transparency and accountability of regulatory oper-ations and decision-making in general. In part this is the result of greater pressures to democratize regulatory science in speciWc Welds and of claims that risk acceptance or tolerance issues are not the sole preserve of experts (Rothstein et al., 2006a). In part the pressure has also been for greater justiWcation of the regulatory process in the face of ‘red-tape’ arguments, particularly for super-regulatory bodies created as a result of consolidation (Hutter, 2005). This has led to the development of principles of good regulation as a high-level standard embodying prescriptions that interven-tions must be targeted and proportionate to the risks to the public. Formal elements of business risk or ERM thinking have, to varying degrees, been imported as part of this pressure for regulatory justiWcation.

In the UK, the Health and Safety Executive published an account of its decision-making process and drew attention to its analytical approach (HSE, 2001). ERM ideas are visible in this account. The HSE process approach begins with deciding whether the issue is properly one for them and ends with evaluating the eVectiveness of action taken. This is a prescription of an ideal cybernetic process, which corresponds very closely to that of COSO and quality management. In another example, the Nuclear Energy Agency of the OECD published a discussion document Improving Nuclear Regulatory EVectiveness (OECD, 2001) which draws explicitly on quality management systems and ideas of continuous improvement. The mission of the agency is the starting point for evaluating everything its does and how it manages risk to the public, its eYciency and added value. In these two examples, risk-based 88 / Organized Uncertainty

regulation is close to meaning mission-based regulation, reXecting the quality origins of ERM thinking. Perhaps the clearest example of the internali-zation of ERM ideas by a regulatory body is to be found in the self-description of the mission of UK Financial Services Authority (FSA 2000). The FSA has explicitly designed a regulatory approach in terms of risks to its statutorily deWned objectives. This is a successor to the RATE system (Bank of England 1997a) and the assessment of regulated entities has become framed under a risk assessment framework (ARROW) explicitly in terms of the risks posed to these objectives (Black, 2005; Hutter, 2005).23 The approach has been intern-alized and interactions between FSA and regulated entities are structured by an assessment of the risks they pose to the statutory objectives of the regulator.

Two issues are of particular signiWcance in the emergence of risk-based regulation. First, a subtle but important translation has taken place in the conception of public risk management. The idea of managing risks to the public in diVerent domains is now mediated by the idea of risks to the objectives of the regulatory body, their mission risk (Power, 2004c; Black, 2005). This translation epitomizes the accountability and governance frame-work within which risk management and risk-based ideas of regulation now operate. ERM creates a new basis for self-justiWcation and formal account giving in the face of secondary, reputational, or institutional risk (Rothstein et al., 2006a)—understood as the risk of sanction and blame in the wider institutional environment. Regulator speciWc versions of ERM may have varying degrees of operational and decision making purchase in regulatory agencies, but claims to a risk-based approach provide a common language of justiWcation and rationalization of method (Hutter, 2005). ERM as the capacity to defend process in terms of recognizable, abstracted institutionalized elements underlies the legitimacy of all organizations—including those organ-izations whose task is to regulate.

The explicitly risk-based nature of regulation in many domains in the UK no doubt overlies considerable variation in practice, but it provides a frame for a potential new ‘politics of uncertainty’, one in which the possibility of failure and imperfection is accepted and made public. Risk-based regulation modeled in ERM terms necessarily and logically embodies the idea that failures are possible; there is a long history of similar qualiWcations to the eVectiveness of internal control systems. However, as Rothstein et al. (2006a) argue, risk-based operating philosophies are ambivalent resources for regulatory Standardizing Risk Management / 89

bodies. On the one hand, the possibility of no-blame failure can be articulated. On the other hand, risk has become reXexively applied to regulatory bodies them-selves; risk-based approaches become central to an active blame management process via the ability to demonstrate a rational process trail (Chapter 6). Existing political and public discourses sit uneasily with a risk-based ethos and tend to have a more ‘zero-tolerance’ character. There may be good distributive reasons for this. For example, the demise of Equitable Life in the UK, which could be regarded as ‘tolerable’ from the impersonal point of view of systemic Wnancial risk, was in fact experienced by large numbers of people as a life-changing catastrophe. So business risk-based approaches which translate public risk into mission risk for the regulator do not necessarily avoid the politics of risk distribution and of varying public attitudes to risk. All this means that an ex ante public acceptance of the possibility of failure embodied in risk-based regulatory mission statements can never fully control ex post public reaction to actual failure.

Regulatory bodies claiming to be risk-based are always inherently exposed to political reactions to major events.

This brings the argument to the second important issue regarding risk-based regulation. It was noted above that for regulatory bodies such as HSE with an established risk analysis community, being risk-based primarily means being more public and more formal about the process of analysis, or at least about some scripted account of that process. However, a prior process of risk analysis or meta-risk analysis is required by regulators in order to decide where to focus more technical risk analysis. In short, the business risk top-down approach is intended to focus analytical methods based on some kind of provisional ex ante risk assessment. This was evident in the structure of Business Risk Auditing (Chapter 2) and is no less the case in risk-based regulation. The problem for auditors was the Wxed cost of developing business models of the client and its economic environment so that work could be targeted. The same is true of regulators applying this approach, particularly those with large populations of regulated entities or individuals (Black, 2005: 518–19). The initial challenge is to develop reporting instru-ments capable of providing baseline information about entities and individuals which enable a risk assessment to be made and inspection or enforcement resources to be targeted accordingly. The FSA in the UK currently uses a self-assessment return (RMAR) in the retail Wnancial services area to build a risk proWle of the entity over time. Something analogous is necessary in all such systems but the capacity to develop such baselines may 90 / Organized Uncertainty

be heavily constrained. Another signiWcant challenge is that any risk-based approach is necessarily resource-constrained, so much so that some regulators would prefer it to be described as ‘resource-based regulation’

to manage public expectations more appropriately. Of course, while this category might be more descriptive, it would also be less legitimate and more threatening to governance ideals. Finally, political considerations may require that areas deemed low risk to a particular regulator’s mission must be examined and allocated resource.24

It is clear from the above that while the idea of risk-based regulation has become signiWcant in the UK, it has a cluster of diVerent meanings: trans-parency (and auditability) of risk assessment processes, eYciency of methods to allocate limited regulatory resource, risk to regulatory mission and objectives. These diVerent meanings feature in the broad ERM frameworks discussed above. Regulatory organizations are subject to isomorphic pres-sures to become, at least at the level of formal mission and purpose, more like the organizations they regulate. Regulators are simply organizations whose distinctive purpose is to regulate, and accounts of their operating philosophies have necessarily become risk-based, because this is what is expected of a properly governed regulator. By analogy with the discussion in Chapter 2, risk-based regulation is part of the ‘turning inside-out’ of regulatory agencies, of being explicit about limited resources and the need to direct them to where they are needed most, e.g. failing schools, unsafe industrial facilities, banks with weak controls. ERM has become a design blueprint for resource constrained risk regulators (IOSCO, 1998).

The regulatory state is becoming a risk management state, both in its reliance on risk management systems in organizations and in its reXexive internalization of risk management to characterize the operating process of regulatory agencies. Elements of ERM have Wltered into regulatory organ-izations not because such organorgan-izations have a deWcit of risk assessment tools and methods, but as a blueprint for the governance and accountability of the regulatory decision process. Risk-based regulation adds little that is new to the analytical capacities of the large regulators; it rather provides them with a new encompassing strategic rationality for justiWcation, for resource allo-cation, for focus, and for relating mission to activities. As a consequence, regulators are more like the business organizations they regulate and are increasingly regulated themselves (Jacobsson, 2006). How this risk-based rationality plays out in practice will be varied, but such variety will be Standardizing Risk Management / 91

assessed against the benchmark of a risk management ideal which is much more than analysis and marks a new ‘logic of organizing’ (Powell, 2001: 54) in the regulation of public risks.