Chapter 2 traced the emerging regulatory signiWcance of internal control and its reframing as risk management. The COSO, CoCo, and Turnbull frame-works are standards which formalize fundamental design principles for the organizational self-management of risk, and which establish normative baselines against which organizations must evaluate themselves. Indeed, the Weld of risk management in all its variety is symptomatic of the emerging
‘world of standards’ (Brunnson and Jacobsson, 2000) which permeates organ-izations of all shapes and sizes. Reformist discourses of organizational govern-ance have generated an industry of norm production for organizational conduct. Recent decades have witnessed an expansion of organizing in general via a multiplicity of transnational organizations who codify, formalize, and publish standards of practice (Meyer, 2002).
Scholarly and policy interest in the nature of these diverse norm produc-tion processes, whether characterized as ‘private government’ or ‘soft law’,
‘decentred regulation’ or ‘global governance’, have grown in response to these developments (Boli and Thomas, 1999; Djelic and Sahlin-Andersson, 2006b).
Work in many social scientiWc Welds such as international relations, political science, law, economics, management, and accounting, has become preoccu-pied with transnational organizations, their role in projects of standardization, their relationships with states and formal law, and their capacity to generate conformity, acceptance, and compliance. Boundaries between disciplines and
organization types have become blurred as a result of converging interest in the private production of rules and standards, a production process embedded within broader programmatic discourses of, and pressures for, ‘better’ organ-izational governance (Drori, 2006). This chapter examines a speciWc sub-sector of this world of standards, namely the development, mobilization, and stand-ardization of something commonly referred to under the umbrella concept of Enterprise Risk Management (ERM).
While industry technical guidance on the management of speciWc risks existed prior to 1995, that year saw the publication of the Wrst explicitly generic risk management standard—a joint document by the Australian and New Zealand Standards organizations which built on earlier global standards for quality management systems. This was quickly followed by counterparts in Canada, UK, and Japan. In addition, professional associations and Wrms entered the Weld of standard setting for risk management.1 ISO has developed standards for common risk management terminology (ISO/IEC, 2002) and broad process standards have been reapplied to speciWc areas, such as infor-mation security (e.g., COBIT). Most recently, COSO (2004) updated its earlier guidance on internal control and reframed it as a standard for ‘enterprise’ risk management. The risk management Weld is now awash with generic norms, standards and guidance which have been reapplied and adapted in speciWc sectors.
ERM has emerged as a signiWcant category for rethinking the organization of risk management activities and there has been a conspicuous growth of normative and technical texts on the topic.2 However, while there are various attempts to own the category, ERM should be understood as ref-erring to any broadly based conception of risk management, encompassing ideas of ‘holistic’ (Hopkin, 2002), ‘integrated’ (Nottingham, 1997; AIRMIC, 1999; Doherty, 2000), and ‘business’ risk management (PwC/IFAC, 1999).
The speciWc category of ERM is increasingly prominent and plays a critical discursive role. It signiWes any aspiration for a form of risk management practice which is all encompassing in scope, business-focused, and is suggest-ive of a bird’s eye view of organizational life. We should not assume that ERM refers unequivocally to a coherent set of practices. ERM as used in this setting must be understood from the outset as a label for a mixed bag of reformist, organizing sensibilities in the name of risk which have gathered momentum since the mid-1990s. Far from being simple or unitary category referring to well understood processes and procedures, it would be better to regard Standardizing Risk Management / 67
ERM as a semi-popular managerial discourse which exists at the interface between regulators, Wnance specialists, insurers, and accountants. The idea of ERM speaks to their varied interests as agents of organizational change and accountability.
If ERM is not uniquely owned, it is also not a single standard of the kind that is normally discussed in professional circles. It signiWes an emergent and hybrid programme in Rose and Miller’s (1992) sense, a programme of control in search of expression via clear standards of risk management as norms of organizing. ERM is an imagined organization-wide process of handling uncertainty and a category which mobilizes a number of projects of writing directed at standardizing the foundations of organizational control and governance. ERM signiWes a basis for a new way of talking about control in organizations, one which appeals to enterprise rather than discipline. It is a discourse which envisages the integration of control and organizational strategy.
The discussion begins by recapping the conception of risk management as an essentially calculative practice, as discussed in Chapter 1. Ideas of ERM as developed in the Welds of Wnance and insurance are considered, and the analysis focuses on the speciWc case of value at risk (VaR) as a risk measure-ment technology. This version of ERM is premised on the regulating ideal of calculating Wrm-wide economic capital, an ideal which runs up against many practical limitations, particularly in the area of operational risk (chapter 4), but which still retains a hold on the imagination of a sub-class of practitioners in the Wnancial world. In contrast to this calculative ‘grammar’ of risk management, section 3 deals with an aspect of ERM thinking which is continuous with the transformation of internal control discussed in Chapter 2 and with the corporate governance reform discourse of the early 1990s. Here, risk analysis and measurement issues are subsumed within a broader risk governance process. While a number of diVerent versions of this concept of ERM exist, the discussion will focus on the example of the COSO principles for internal control and their rewriting as a standard for something now explicitly called ‘enterprise risk management’ or ERM (COSO, 2004).
Section 4 analyses the emergence of new organizational agents of ERM, notably the chief risk oYcer role. Where Chapter 2 had considered the role of internal auditors in an increasingly crowded risk management Weld, this discussion focuses on the nature and jurisdiction of a head of risk, a role which accompanies the rise of audit and risk committees. It is argued that the 68 / Organized Uncertainty
CRO role must contend with a number of operational conXicts in being a change agent for ERM. Regulatory systems, particularly in the Weld of Wnancial services, increasingly require a head of risk and conformity to an accepted ERM framework, such as COSO (2004) or Turnbull. Section 5 argues that regulatory systems which seek to rely on organizational risk management practice also re-import this knowledge as a framework for their own role. Thus, ideas of risk-based regulation are discussed as a particular dimension of the ERM standardization process, namely the increasing isomorphism between regulatory and regulated organizational processes.
ERM must therefore be understood as a body of popular organizational knowledge which is simultaneously managerial and regulatory.
Taken together, these four strands of argument suggest that the category of ERM is now prominent as an umbrella for a world-level organizational model, with more general signiWcance for a new risk-based ‘moral economy’
of organizational life in general. ERM is ‘global’ both in the sense of being all-encompassing in ambition and also in being transnational in reach (Drori, 2006: 113). The rise of ERM is also an administrative manifestation of neoliberal pressures to transfer the conception of risk management from the negative space of the risk society to that of the ‘opportunity’ society populated by risk-taking entrepreneurs. In addition while ERM posits risk and its man-agement as a fundamental constituent of the production of value, it also recodes calculative and administrative processes within a new kind of organ-izational ‘actorhood’ in which the ‘ownership’ of, and accountability for, risk, rather like quality in the 1980s, deWnes a domain of responsibility and virtue.