Dimensionamiento y envergadura…. 64

Practitioner prescriptions regularly state that senior management commit-ment and culture, commonly called ‘buy-in’, is a necessary condition for the success of any kind of ERM programme. Accordingly, the ‘risk culture’ of an organization has become a new and paradoxical object of concern within risk management. ‘Risk culture’ is a label for a range of attributes of organizations Making Risk Auditable / 175

which are not readily amenable to formalization in protocols, which operate as constraints on machine-like implementation and which shape, in almost unconscious ways, management decision-making. Risk culture has come speciWcally into view as an aspect of the retrospective reconstruction of disasters and crises. The investigation of the Challenger disaster concluded, just as the Barings enquiry did over ten years later, that there was a failure of organizational culture at NASA, of the tone at the top, rather than failure of technical knowledge or risk analysis. The 9/11 commission reached similar conclusions about the culture of security organizations in the USA. Risk culture, or lack of it, has become a speciWc post-disaster explanatory ‘trope’

(JasanoV, 1994).

The scholarly literature on organizational culture is vast and is a conduit for anthropological, sociological, and psychological ideas in the management Weld. Simons (1999) suggests that ‘risk culture’ may be analysed in terms of three key variables: how rewards for entrepreneurial risk taking are balanced with demands for control; how organizations deal with executive resistance to bad news—the problem of ‘upward’ information Xow; and the levels of internal competition which might prevent information sharing in critical situations.12 Capacity to assemble information, a key feature of the man-made disasters literature, will be a function of how transaction velocity and complexity create gaps in diagnostic performance measures. But it is also a function of belief and boundary systems which determine what is and is not allowed. According to Simons internal controls are ‘an essential foundation for controlling risk in all organizations’ and his analysis suggests how discourses of culture and internal control have come to be co-extensive.

The signiWcance attached to the factors deemed to constitute ‘risk culture’

is reXected in the highly inclusive concept of ‘control environment’ (COSO, 2004) which necessitates eVorts to formalize, construct and make visible risk culture as an auditable object. The positioning of risk culture within risk management frameworks provides an illustration of the penetration of the logic of auditability into managerial practice. This demand overrides exten-sive critiques of ‘box-ticking’ and of the ‘disfunctionality of transparency’

(e.g., Strathern, 2000a; O’Neill, 2006). Checklists and indicators have been developed for the concept of risk culture which has become standardized, instrumentalized, and identiWed with the elements described in ERM stand-ards. Formal arrangements such as codes of ethics, policies for whistleblow-ing, and staV training programmes, become the auditable manifestations of 176 / Organized Uncertainty

risk culture. Yet studies suggest that anthropological sensibilities about culture are antithetical to the logic of audit. The former tends to expand the complexity of context, while the latter, in its current form at least, is essentially reductive. Thus, eVorts to render culture auditable, as an explicit object of management intervention, are very likely to interfere with collect-ive patterns of operations and behaviour (Strathern, 2000a; 2000c). In essence, auditability as a value system constitutes ‘risk culture’ as a managerial object in its own image. By a process of administrative osmosis, indicators begin to lose their ‘proxy’ status and become regarded as the things they stand for.

It should not be imagined for an instant that practitioners are dupes and slaves to an ‘iron cage’ rationalization processes. Cultural features always escape eVorts to control them via proxies and risk management discourses are also replete with many critical prescriptions directed at the perceived excesses of managerialism, legalism, and auditability. It is often said by practitioners that risk management must be Xexible, embody redundancy, have the capacity to support organized irritation, and challenge orthodoxies.

There is also growing awareness that management overconWdence, biases, and deviant notional normalities identiWed in disaster analysis must be overcome if problems are not to ‘incubate’ over long periods. Some practitioners liken risk management to an organizational conversation sustained among key actors, a point which echoes Weick’s (1993) emphasis on maintaining interaction and abandoning hierarchy during a crisis. All these critical pre-scriptions, in both practitioner and in academic papers, are demands for a risk management ‘culture’ which does not and cannot managerialize itself in the sense described above, that is, via auditable routines and legalized process.

Herein lies the essential dilemma of eVorts to construct any ‘intelligent’

management information system which seeks to go beyond due process to create messy, ad hoc challenges to existing ways of doing things (e.g., Hedburg and Jo¨nsson, 1978). In order to sustain legitimacy, travel, and become widely diVused, these approaches must of necessity adopt standardized protocols, questionnaires, checklists, and spreadsheets. An intelligent management practice would quickly come under pressure to represent itself as a process which is formal, replicable, portable and not owned by idiosyncratic groups of individuals. It would become scientized, represented in cybernetic form and subsumed within ERM standards. Complexity and local functionality would be lost, as Weick suggests, and the ‘real’ management of risk would migrate to Making Risk Auditable / 177

other kinds of informal practice. Risk culture checklists and similar tools will therefore survive despite their simpliWcations because they are legitimate representations of the demand for making risk auditable.

Despite the motivational power of the many insights derived from post-disaster analysis, and their roots in soft organizational psychology, the man-agerial institutionalization of these insights has been problematic. It is not that practitioners of risk management are resistant to these ideas—quite the opposite is true; they are completely persuaded of the importance of ‘risk culture’ and constantly make judgements about it. But these judgements are diYcult to represent within rationalized designs for risk governance and the climates of auditability within which they operate. Risk insights can only acquire formal managerial signiWcance within the conceptual and oper-ational space of auditing and internal control systems. This architecture, supported by an active advisory industry, has acquired considerable legitim-acy because it is founded on deeply entrenched values which are immune to surface criticisms of bureaucracy, ‘red-tape’, or ‘box-ticking’.

Conclusions

It should be clear by now that the transformations in the design of risk management described in this book are not at all identical with an ambition to measure everything. Indeed, the story is how the mathematical isolation of calculative idealists has come to be framed increasingly as a governance issue. Previous chapters suggest that the particular phase of risk management history since 1995 may have much less to do with the expansion of quantiWcation than is commonly thought, despite the sig-niWcance accorded to VaR and other techniques in this period. A cultural

‘trust in numbers’ has given way to an emphasis on systems and processes to deWne governance. These processes reveal deeply institutionalized values of auditability and legalization which have common roots as world-level forms of rationalization.

This story of rationalization parallels the related thesis of scientization, namely the claim that there has been a worldwide ‘permeation of science-like logics and activities, with the underlying principles of universalism, scripts and proaction, to everyday activities’ (Drori and Meyer, 2006: 44).

178 / Organized Uncertainty

Like the concepts of auditability and legalization, scientization in this sense has little to do with eYciency or economic improvement, despite rhetorics to this eVect. It is rather a deWning feature of rationalization in the modern world. For example, parallels exist between cybernetic conceptions of risk management and quality discussed in Chapter 3 and the Taylorist principles of scientiWc management, which was also a world-level movement early in the twentieth century (Merkle, 1980).13 And quality assurance paradigms in engineering can be traced to the emergence of the operational and decision sciences in the 1950s. These bodies of knowledge have been described as

‘cyborg’ sciences, because human behaviour is progressively embodied in machine-like control theory, which Wnds its way into business school edu-cation (Mirowksi, 2002: 316–17). The scientiWc ideal also found its way into early conceptualizations of audit, which were modelled on the hypothetico-deductive method (Mautz and Sharaf, 1961). It would require a robust historical analysis to do justice to the genealogy of scientiWc systems thinking in these diVerent strands of management. The point is only to suggest how the modes of auditability and legalization might plausibly be regarded as traceable to more fundamental processes of scientization. Rationalized audit-ability as designed into risk management practices can be regarded as a particular aspect of the scientization of organizational life described by Drori and Meyer. Equally, legalization understood as the permeation of organizations by law-like governing logics can be traced to the very same processes of rationalization which they identify.

However, the shift from risk analysis to risk governance described in this book is much more than an epiphenomenon of world-level pressures for scientization. It represents a fundamental transformation and mutation of scientized thinking from the positivism of numbers and calculations of risk analysis to the administrative positivism of the accountant and auditor.

This is a mode of rationalization which is misleadingly characterized in terms of the a growth of science and scientiWc values. The rise of risk analysis and the development of VaR do Wt a model of scientization which transforms

‘mysteries into risk that must be managed’ (Drori and Meyer, 2006: 31) but they have themselves been subsumed within world-level ideas of gov-ernance and the manifestation of these ideas in rational designs for risk management. From this point of view, the science of risk analysis is less signiWcant than the ‘organizational cultures’ which govern that science.

And this has given rise to intensiWed concerns with transforming the Making Risk Auditable / 179

administrative mystery of ‘risk culture’ and ‘tone at the top’ into a govern-able and auditgovern-able object.

Risks do not exist in themselves, but this is not an anti-realist position at all. Many events occur with adverse consequences for many individuals and it would be better if they did not. Risks only have reality within social systems which have expectations of decision and action, expectations which increasingly crystallize as demands for management systems for risk.

In this chapter, the managerial form of these representations of risk has been considered, a form which is visible in the stories of the rise of internal control, the emergence of ERM and operational risk, and the organizational signiWcance of reputation. In all these cases, models of practice have been shaped by values of auditability and procedural defendability. Public report-ing matters less to the theory of auditability than the construction of practice in light of a possibility that an account might one day need to be given. These values of auditability are deeply institutionalized principles of design which are anchored in world-level values of rational governance. Processes of auditability and legalization have intensiWed in the face of the spectre of low-probability, high-impact events as a category of event which demands the management of the unmanageable. The essence of the new risk man-agement is to produce the governance and regulation of unknowable uncertainties via a distinctive kind of organizational proceduralization which prioritizes the auditability of process.

Risk management is no longer a private matter for experts, but is in-creasingly publicly certiWable and visible because of its role in deWning organizational virtue and legitimacy. The ‘taming of chance’ and statistical classification has been essential to a public project of framing collectivities of individuals for intervention (Hacking, 1986). The managerialization of risk management described in this book has had similar eVects—as a modality of organizational actorhood (Meyer, 2002) and as a ‘mobilizer of moral commu-nity’ (Ericson et al., 2003: 67). Fears of terrorism or rogue traders or wayward CEOs may or may not be exaggerated, but the signiWcant driver of the managerialization of risk management is an institutional fear and anxiety, namely that which is associated with the demands of organizational and individual accountability. Distant dangers of low probability high impact events are invoked to solve institutional problems of control. The form of these eVorts to organize uncertainty may have little to do with dangers themselves and more to do with the state of trust in organizational and 180 / Organized Uncertainty

political life. As Douglas (1992b: 77–9), puts it; ‘accepting risks is part of accepting organizations’. If so, making risk management into an auditable and legalized practice tells us little about the state of the world and the dangers and opportunities it may contain, and much more about the role of risk in the construction and aYrmation of organizations as actors and their respective accountabilities.

Notes

1. See ‘A price worth paying?’, The Economist, 21 May 2005, 81–3.

2. On the construction of the eVectiveness of audit committees, see Gendron and Bedard (2006).

3. For example, ITGI (2006). I have greatly understated the signiWcance of the emergence of risk governance in the domain of IT security. COBIT, control objectives for information technology, is one of several eVorts to create security and integrity standards which parallel those of ERM more generally. Another chapter on this topic, with a very similar argument form to the treatment of operational risk, could have been written.

4. Formal practices of ‘risk auditing’ were evident in so-called hazard industries prior to 1995, where the International Safety Rating System prescribed internal control conditions as a basis for ‘risk inspection’ (Turner and Pidgeon, 1997: 185–6). However, this industry-speciWc manifestation of a systems-based style of risk audit did not acquire more general organiza-tional and industrial signiWcance until the rise of governance discourses in the 1990s.

5. See Diver (1983) on the optimality of precision in rules and trade-oVs in design and related costs.

6. See, ‘Watchdog to put a price on ‘‘claim culture’’ ’, The Financial Times, 17 July 2003. The debate about whether ‘compensation culture’ is perceived or real also concedes that perceptions have real eVects, and agents’ actions in response to such perceptions may reinforce them e.g., individuals may make claims in the belief that insurers and courts are likely to pay; and an industry of claims lawyers is created which talks up their service on a no win, no fee basis.

The legalization of organizational routines has little to do with how courts of law actually operate and settle cases, but it may aVect beliefs about them.

7. ‘Common sense culture not compensation culture’—a speech delivered at the Institute of Public Policy Research on 26 May 2005.

8. See de Waal (2006) for an excellent analysis of the impact on inspection regimes on secondary school teachers.

9. See, ‘Money laundering tip-oVs set to double’, The Financial Times, 1 March 2004.

10. As freedom of information legislation has taken hold, employment references have become less informative in recent years, containing largely factual data. And as the information value of such references for information purposes go down, they are sought largely for formal reasons, i.e., to demonstrate due process and to defend a decision taken on other grounds.

Making Risk Auditable / 181