Description
This essay challenges core elements of enterprise risk management (ERM) and suggests
that an impoverished conception of ‘risk appetite’ is part of the ‘intellectual failure’ at
the heart of the financial crisis. Regulators, senior management and boards must understand
risk appetite more as the consequence of a dynamic organizational process involving
values as much as metrics. In addition, ERM has operated as a boundary preserving model
of risk management subject to the ‘logic of the audit trail’, rather than a boundary challenging
practice which confronts and addresses the complex realities of interconnectedness.
The security provided by ERM is at best limited to certain states of the world and at worst
it is illusory – the risk management of nothing. In contrast, Business continuity management
(BCM) may provide clues about how risk management might be reconstructed.
The risk management of nothing
q
Michael Power
London School of Economics and Political Science, Dept. of Accounting and Finance and ESRC, Centre for Analysis of Risk and Reg., Houghton Street,
WC2A 2AE London, United Kingdom
a r t i c l e i n f o a b s t r a c t
This essay challenges core elements of enterprise risk management (ERM) and suggests
that an impoverished conception of ‘risk appetite’ is part of the ‘intellectual failure’ at
the heart of the ?nancial crisis. Regulators, senior management and boards must under-
stand risk appetite more as the consequence of a dynamic organizational process involving
values as much as metrics. In addition, ERM has operated as a boundary preserving model
of risk management subject to the ‘logic of the audit trail’, rather than a boundary challeng-
ing practice which confronts and addresses the complex realities of interconnectedness.
The security provided by ERM is at best limited to certain states of the world and at worst
it is illusory – the risk management of nothing. In contrast, Business continuity manage-
ment (BCM) may provide clues about how risk management might be reconstructed.
Ó 2009 Elsevier Ltd. All rights reserved.
Introduction
It is far easier to blame individuals than entire systems
of thought; senior executives of failed organizations can be
asked to apologise in public, but the architecture of
concepts and assumptions within which they operate is
less visible and accountable. Yet if the roots of this ?nan-
cial crisis do indeed lie in a ‘wide ranging intellectual fail-
ure’ (Turner, 2009: p. 5), it is necessary to shift the focus of
blame and analysis from the usual human suspects, not-
withstanding what might be thought of them as individu-
als, and consider much harder questions of knowledge. In
this essay, I focus on the near theological belief in enter-
prise risk management (ERM) and suggest that it is deeply
implicated in a widespread failure of managerial and regu-
latory intelligence, despite the fact that many good and
capable people are involved in its operationalisation. In-
deed, policy makers need to understand the limitations
of ERM as a platform for institutional re-building.
ERM is not a single thing, conceptually or practically. At
the level of design ERM is a label for a system of concepts
which have grown in organizational signi?cance since the
mid-1990s, arguably the period of ‘incubation’ (Turner,
1976) for the present crisis. The basic conception, as re-
vealed in a vast body of guidance, is simple and super?-
cially uncontentious: risk management and mitigation
processes should be explicitly related to organizational
and sub-organizational objectives. Prescriptively, organiza-
tions should seek to identify all material risks to their
objectives and sub-objectives, design controls and mitiga-
tions which produce a residual risk consistent with a target
risk appetite, and monitor this entire process, making
feedback adjustments as necessary. The model is that of
a thermostat which adjusts to changes in environment
subject to pre-given target temperature. From this some-
what mechanical point of view, problems with ERM are
typically attributed by surveys of practice to implementa-
tion de?cits and operational frictions – ‘if only we could
do it properly’ – rather than the design philosophy itself.
While ERM has numerous sources feeding the same
basic idea, the COSO (2004) version has become a world-
level template for best practice over a short period of time
(Power, 2007). COSO stands for the Committee of Sponsor-
ing Organizations of the Treadway Commission, an
‘organizing organization’ (Ahrne & Brunsson, 2006) or
coalition of the main accounting and ?nance trade
0361-3682/$ - see front matter Ó 2009 Elsevier Ltd. All rights reserved.
doi:10.1016/j.aos.2009.06.001
q
The author is grateful for the helpful comments of Peter Bonisch and
Anthony Hopwood.
E-mail address: [email protected]
Accounting, Organizations and Society 34 (2009) 849–855
Contents lists available at ScienceDirect
Accounting, Organizations and Society
j our nal homepage: www. el sevi er. com/ l ocat e/ aos
associations in the United States and formed in the light of
concerns about fraudulent ?nancial reporting in the mid-
1980s.
1
The Treadway Commission reported its ?ndings in
1987 and COSO published guidance on internal control in
1992.
2
This guidance provides the antecedent conceptual
building blocks for the 2004 framework for enterprise risk
management, hence a direct line of in?uence on ERM can
be traced to an accounting conception of internal control, it-
self a product of broader engineering conceptions of control
theory. So the ERM model is strongly, if not exclusively,
in?uenced by accounting and auditing norms of control,
with an emphasis on process description and evidence.
The programmatic aspiration of ERM is twofold. First,
like any managerial innovation, it promises that mistakes
of the past will be mitigated, if not avoided, by a more ra-
tional and synthetic conception of risk management capa-
ble of a ‘canopy-like’ view of the organization (Drori, 2006).
For example, ERM is closely associated with a conception
of integrated risk management at the ?rm level, an integra-
tion which promises more ef?cient use of scarce capital,
the ability to charge business units according to the
amount of capital they place at risk, and more coherent
insurance strategies which recognise the natural diversi?-
cation bene?ts at work in any large organization. Second,
ERM also embodies an aspiration for enterprising risk man-
agement, namely a conception of risk management which
is positive, entrepreneurial and explicitly in the service of
wealth creation: ‘risks are no longer the dark side of oppor-
tunities, they are also market opportunities’ (Beck, 1992:
46). From this it is easy to articulate a win–win logic of
ERM; good risk management is good business.
Yet, for all the self-evidence of its conceptual elements
and its core aspirations, I argue below that ERM is ?awed
at the level of design in three fundamental ways that de-
serve attention. First, I suggest that the ‘enterprise-wide’
view and the related notion of a singular organizational
risk appetite are highly problematic. Indeed, the design
and focus of ERM necessarily impoverishes a conception
of risk appetite as organizational process. Second, the
sources of this impoverishment lie in the deep complicity
of ERM in the expanded signi?cance of a ‘logic of auditabil-
ity’. The proliferation of detailed process-based rules for
risk management is normally assumed to be a defect of
implementation, yet accounting ideals of internal control
are embedded in the design itself, resulting in a style of risk
management practice with wide and seductively expansive
reach – the risk management of everything (Power, 2004).
Third, the resulting expensive narratives of risk account-
ability have proven to be incapable of articulating and
comprehending critical risks, particularly those associated
with interconnectedness. ERM operates with a limited con-
ception of embeddedness, although developments in busi-
ness continuity management suggest a way beyond ERM,
and its accounting knowledge base, which take intercon-
nectedness as a given.
Risk enterprising and appetising
The very idea of risk ‘appetite’, which is at the heart of
risk management practice, is closely bound up with the
neoliberal postulation of organizations as ‘enterprising’
selves. Whereas a longstanding public sector tradition in
health and safety has operated with the notion of risk ‘tol-
erance’, the category of ‘risk appetite’ has a less precau-
tionary connotation and is aligned with that of the
enterprising actor. This is consistent with Meyer (2002)
and others who have drawn attention to the ‘explosion of
organizing and organizations’ which characterises recent
times, and to the emergence of a distinctive organizational
actorhood which is con?dent, self-knowing and autono-
mous. Contemporary conceptions of risk appetite re?ect
this world-level conception and articulate organizations
as legitimate risk-takers on behalf of society. From this
point of view, the ‘enterprise’ concept infuses the ‘organi-
zation-wide’ character of enterprise risk management
(ERM) with an entrepreneurial, risk-taking normativity,
which requires that organizations and individuals know
their appetite for risk (O’Malley, 2004).
The ambition to represent an organization as an inte-
grated whole is something which ERM shares with ?nan-
cial accounting. Such ambitions are widespread in public
policy and regulation. Scott (1998) and others suggest that
all such programmatic dreams are doomed to failure; not
least because their ‘thin simpli?cations’ are inadequate to
reproduce domain-speci?c complexity. ‘Seeing like a state’
requires many things to be ignored, but these overlooked
‘frictions’ eventually re-impose themselves and take re-
venge on policy makers. Similarly ERM is a policy blueprint
for seeing ‘like’ an ideal-typical organization. Developing
the capacity to ‘visualise’ the whole of an organization
via risk maps as a unitary and intentionalistic actor con-
veys a form of statehood on organizations. Through ERM
they are required to act on, and govern, themselves.
While the enterprise-wide view, as articulated in stan-
dards and guidelines for ERM, expresses and symbolises
the ?rm as an intelligent and intentional actor, it does so
in a reductive manner consistent with a cybernetic or ma-
chine like representation of action. Such representations of
control and what it is to be in control have invited critical
analysis (e.g. Robinson, 2007). At the heart of the machine
idea the category of ‘risk appetite’ names the value inputs
which, in theory, prescribe triggers, limits and tolerances
for feedback and control purposes. For example, of?cial
standards like those of COSO de?ne risk appetite as the
amount of risk an entity is willing to bear, an amount which
can be rationally determined by senior management of an
organization.
Although, COSO (2004) envisages the possibility of
‘qualitative’ understandings of risk appetite, the dominant
conception is that of a quantitative benchmark such as a
target level of ?nancial capital to be maintained. In theory,
capital is a buffer of high quality and liquid assets held as a
kind of self-insurance against shocks and adverse events.
While capital is at the heart of prudential regulatory phi-
losophies, the actual level may exceed regulatory require-
ments to re?ect a desired credit rating. However, even
allowing for issues of de?nition and measurement, this
1
The sponsors of COSO include: The American Institute of Certi?ed
Public Accountants; The Institute of Internal Auditors; the Financial
Executives International, the Institute of Management Accountants and
the American Accounting Association.
2
For a critical evaluation of COSO see Briloff (2001).
850 M. Power / Accounting, Organizations and Society 34 (2009) 849–855
concept of capital embodies, and conceals, at least two
kinds of preference – those of society, as expressed by
the law and enforced by a ?nancial regulator, and those
of the entity itself in its economic pursuits. In turn, this
suggests that the very concept of risk appetite necessarily
implicates the question of ‘whose appetite counts?’
This question about risk appetite is hardly very new. It
was vigorously debated in the context of health and safety
regulation in the 1970s and 1980s (Mayo & Hollander,
1991) where the relationship between risk analysis and
risk management was at issue. Proponents of a sharp dis-
tinction between analysis and management argued that
the former is essentially ‘scienti?c’ and neutral while the
latter is value laden, embodying ideas of risk tolerance
and acceptability as inputs into the management process.
This sharp duality was challenged by the view that values
pervade so-called scienti?c analysis itself because risks are
selected and framed (March & Shapira, 1987; Silbergeld,
1991). Furthermore, the values which enter the risk analy-
sis and management process may and should be contested
by different groups. Several authors argued strongly
against the authority of experts in matters of public risk
tolerance (e.g. Wynne, 1996).
It is interesting that, unlike environmental regulation,
?nancial regulation has been relatively immune to debates
of this kind. Such a debate would surely have problema-
tized the predominantly technical articulation of risk appe-
tite by COSO and others, especially for socially signi?cant
organizations like banks. The conception of ‘appetite’ as a
singular input into ERM re?ects the ‘thermostatic’ concep-
tion of risk management noted above. In stark contrast,
Hood (1996) imagines a model of institutionalized con?ict
between different ‘appetites’, for example laterally be-
tween sales and control functions, or hierarchically be-
tween senior management and traders. Even control
functions can vary internally their values and ‘calculative
culture’ (Mikes, 2009; Power, 2007). Hood argues that such
a con?ictual and pluralistic model is more descriptive of
how organizations actually work, and makes lower de-
mands on organizational and political rationality to pro-
duce a single ‘appetite’ by explicitly recognising and
institutionalising processes by which different appetites
and values can be mediated. The process of synthesis is
undoubtedly a signi?cant senior management challenge.
These ideas are promising for progressing the broad con-
cerns about governance failure as a cause of the ?nancial
crisis. The governance failure is in fact a knowledge failure.
Conceptualising risk appetising as a process might better di-
rect risk management attention to where it has likely been
lacking, namely to the multiplicity of interactions which
shape operational and ethical boundaries at the level of orga-
nizational practice. COSO-style ERM principles effectively
limit the concept of risk appetite within a capital measure-
ment discourse. Framing risk appetite as the process
through which ethics and incentives are formed and re-
formed would not exclude this technical conception, but
would bring it closer to the insights of several decades of
organization theory. While the shape of this risk appetising
process needs more speci?cation, as a starting point it is
more aligned with contemporary concerns about gover-
nance and may give these concerns more traction.
How has the ERM conception of risk management
gained such a strong institutional foothold? The answer
is complex but would point to cultural and epistemological
processes of ?nancialization which have shaped the
increasingly reductive manner in which organizations are
conceptualised, known, managed and regulated (Froud,
Haslam, Johal, & Williams, 2000; Whitley, 1986). Yet while
it is tempting to criticise ?nancial economics and the over-
con?dence in tools, such as value-at- risk modelling, it may
be that the accounting and auditing knowledge base which
has been diffused by COSO has been much more signi?cant
in limiting a more intelligent conceptualisation of risk
appetite as a process. COSO (2004) says very little about
risk appetite relative to its emphasis on the elements of
internal control and governance. It is a design which
strongly reproduces the accountants’ conception of what
matters.
In summary: the concept of ‘risk appetite’ has been pro-
moted as part of the widespread diffusion of ERM, yet
understanding of the concept and its implications is weak
relative to the more bureaucratic elements of the frame-
work. COSO and similar risk management texts presume
that risk appetite can be unambiguously known and
understood by organizations and the individuals within
them. Yet, such a presumption ?ies in the face of behav-
ioural studies which suggest that decisions in the face of
risk are subject to framing and biases (e.g. March & Shapi-
ra, 1987). Add to this an extension of Arrow’s famous the-
orem which suggests that preferences cannot be
consistently aggregated and it is clear that organizations,
as much as societies, are constituted by varieties of risk
appetites which change over time and according to con-
text. COSO-style ‘risk appetite’ is at best an approximate
description of the mix of attitudes and values about oper-
ational and ethical conduct which pervade organizational
life. At worst it is fundamentally misleading. As policy
makers search the rubble for new ideas, they could do
worse than correct the COSO emphasis on control elements
and conceptualise risk appetising as an organizational pro-
cess. Such a reformulation would suggest, rather obviously
with the bene?t of hindsight, that the actions of different
members of an organization may reveal different attitudes
to risk. This would not make risk management easy, but it
would have a much better chance to represent and focus
on issues about governance quality which now preoccupy
regulators. Without this focus the formalities of risk appe-
tite as expressed in a corporate policy document provide
only symbolic security. However, a huge barrier to a richer
and more meaningful ecology of values within the risk
management process is the smothering normativity of
the accounting and auditing logic, which I now consider.
Making easy things auditable
The promise of ‘rational’ organizational and, by implica-
tion, societal safety in ERM as developed during the 1990s
was celebrated as a correction to risk myopia – the so-
called silo mentality – and was to promote more ef?cient
use of capital in ?nancial and non-?nancial institutions
alike (COSO, 2004). Yet, as noted above, COSO-based ERM
M. Power / Accounting, Organizations and Society 34 (2009) 849–855 851
is fundamentally an accounting-driven blueprint which
emphasises a controls-based approach to risk manage-
ment. This design emphasis means that efforts at imple-
mentation will have an inherent tendency to elaborate
detailed controls with corresponding documents trails.
Perhaps the most extreme example of this phenomenon
has been the experience of the Sarbanes-Oxley legislation
since it was passed in 2002. Demands under section 404
for evidence of effective controls over ?nancial statements
were ampli?ed by a combination of auditors and manage-
ment. Despite efforts to rewrite audit guidance, an ‘audit
trail’ logic continues to organize practice to a considerable
degree despite very extensive public criticism. Indeed,
‘box-checking’ may be widely derided, but as a legitimised
evidence base for the supposed effectiveness of control and
risk management activities, it remains durable.
The power of this logic of auditability in shaping think-
ing raises an immediate policy issue about the epistemo-
logical balance within risk management practice. Put
somewhat stereotypically, the ?nancial crisis suggests an
urgent need to shift cognitive and economic resources
from‘rule-based compliance’ towards the ‘critical imagina-
tion of alternative futures’.
Rule-based compliance lays down regulations to be
met, and requires extensive evidence, audit trails and box
‘checking’. All this demands considerable work and there
is daily pressure on operational staff to process regulatory
requirements. Yet, despite the workload volume pressure,
this is also a cognitively comfortable world which focuses
inwards on routine systems and controls. The auditability
of this controls architecture can be theorized as a defence
against anxiety and enables organizational agents to feel
that their work conforms to legitimised principles (McGi-
vern & Ferlie, 2007). This world of precise rules is expen-
sive and potentially distracting, and intrinsic motivation
may be polluted by extrinsic rules (Frey & Jegen, 2001),
but its underlying logic is also psychologically and institu-
tionally attractive, and persists because it offers a regu-
lated transparency to the risk management process.
While many risk and compliance people at the operational
level prefer this less ambiguous and more rule-based
world, it is also a rather dangerous generalised and stan-
dardized orientation for organizations, regulatory bodies
and societies (e.g. Hall & Johnson, 2009).
In contrast, the ‘critical imagination of alternative fu-
tures’ is loosely related to what ?nancial regulators call
stress-testing, but as an ideal-typical risk management
style we might characterise it as a less comfortable arena
for organizational agents which is explicitly directed at
creating ambiguity and challenge to core elements of busi-
ness models. Because such core elements often form an
organizational belief system (Simons, 1999), the imagina-
tion of alternative futures is likely to involve the produc-
tion of discomfort, as compared with formal ‘comfort’ of
auditing (Pentland, 1993). The approach can take the form
of scenario analysis in which participants from different
disciplines in an organization can collectively track the
trajectory of potential decisions and events. The process
begins as an ‘encounter’ with risk and leads to the confron-
tation of limitation and ambiguity (e.g. Stulz, 2009). Such
stress-testing ought in fact to produce stress and anxiety
of a different kind, arising not from a concern for legiti-
macy but from the nature of knowledge and uncertainty
itself.
The difference between these two orientations is, as
noted, stereotypical, and there is quite a bit of middle
ground. But the difference is instructive nevertheless.
Within a rule-based, compliance model of risk manage-
ment, many small actions are needed to ?x things and to
give risk managers a sense of doing something. There is
no shortage of work and overload is the norm. By contrast,
stress-testing produces uncertainty and alternative futures
become an invitation to deliberation, rather than the crea-
tion of an ‘auditable’ fact (Holt, 2004). Yet such an orienta-
tion as a local, interactive process with its own decision
making ‘style’ (Hopwood, 1974) is also likely to be trans-
formed by centralised demands for proof. This potential
transformation and capture by a logic of practice which
prioritises the ‘audit trail’ is a critical challenge to contem-
porary ?nancial regulators, who are themselves under the
spell of the ERM blueprint because it allows them to super-
vise organizational conformity to it. The challenge is to ex-
pand processes which support interaction and dialogue
and de-emphasise due process – both within risk manage-
ment practice and between regulator and regulated. The
normative policy need is to nurture regulatory and mana-
gerial capacity to develop and sustain a rich and varied risk
management ecology which is not biased to a logic of audit
and its demands for evidence, and which can tolerate a mix
of decision styles and strategies.
The wrong kind of embeddedness?
The need to embed ‘risk management and internal con-
trol systems within business processes’ (FRC, 2005: 3) has
become an unquestioned ERM imperative yet there is very
little elaboration of what that might involve. Regulators
look for the inclusion of risk in job descriptions and for
business heads to be designated as ‘risk owners’. There is
also now an advisory consensus that risk should be a
critical optic in shaping budgeting, planning and strategy
processes. Yet the continuing existence of large risk man-
agement bureaucracies in organizations suggests that
embeddedness is both complex and elusive. Like risk
appetite, the accountants’ concept of embeddedness as
articulated in the Turnbull report is articulated at the level
of principle, leaving organizations to ?gure things out for
themselves.
The Turnbull norm of embeddedness is essentially en-
tity-based, bearing little or no relation to conceptions of
the embeddedness of the ?rm in wider social networks
as developed within economic sociology (Fligstein & Dau-
ter, 2007). Yet the ?nancial crisis is largely the result of a
failure to represent and understand entity interconnected-
ness in this wider sense of embeddedness.
It may seem unfair to criticise ERM for failing to do
something for which it was never designed in the ?rst
place, but there is a ‘conceptual complicity’ in its design,
namely a deep-seated commitment to the discrete ‘entity-
hood’ of enterprise, which is part of the problem. The en-
tity assumption is hardly new; arguably it pervades
852 M. Power / Accounting, Organizations and Society 34 (2009) 849–855
managerial and regulatory knowledge and is supported in
both law (corporate personality) and accounting (the en-
tity concept). And despite the evidence of decades on net-
works and strategic alliances, it is a ?ction or illusion
which may be funcationally necessary for capitalism. Yet,
ERM also marks out another very important vector of enti-
tyhood, namely that of the individual client as recipient of
advisory services. It is dif?cult, though not impossible for
?elds or even societies to be marked as clients, but it is pre-
dominantly at the enterprise level where ERM ?nds its
strongest conditions of applicability.
Prima facie it makes sense to leave the more systemic
view of interconnectivity to a body designed for that spe-
ci?c purpose, such as macro-prudential management of
the banking system by a regulator. However, since all
authorities have been surprised by this ?nancial crisis, the
relationship between enterprise level risk management
and macro-prudential management deserves to be revis-
ited. This is not simply an issue for ?nancial institutions;
two decades of environmental auditing at the enterprise le-
vel appear, super?cially at least, to be entirely unconnected
with the steady advance of climate change. The critical
point is that risk management designs like ERM are funda-
mentally unable to process and represent internally sys-
temic risk issues, since this would require an imagination
of externalities well beyond their design parameters. One
possible reason for this inability may lie in the economics
of professional work in the accounting-centred advice
industry. Large professional service ?rms tend to operate
with standardized and abstract elements applicable to a
mass of different ‘entities’. For rank and ?le accountants
to operationalise such frameworks cost effectively, they
must of necessity be weak on the kind of causal analysis
necessary for an understanding of interconnectedness.
In this way, questions of the knowledge base of ERM
connect to the wider political economy of professional
advisory ?rms – the very ?rms who will be enlisted and
will offer themselves in reforming risk management prac-
tice. ERM systems cannot represent embeddedness in the
sense of interconnectedness; its proponents seem only to
demand an intensi?cation of embedding at the individual
entity level. Yet, this latter kind of embedding of a compli-
ance driven risk management, epitomised by the Sarbanes-
Oxley legislation, is arguably a disaster in itself, by tying up
resources and, much worse, cognition and attention in
‘auditized’ representations of business processes.
All is not lost. At the margins of the ERM consensus,
there are interesting developments which may produc-
tively challenge ‘entityhood’. Business continuity manage-
ment (BCM) has been a rapidly developing and hybrid ?eld
in recent years. Not only is it an increasingly prominent
part of the changing risk management agenda, it is also a
practice area where interconnectivity risks are central.
BCM has originated outside of the accounting ?eld of
knowledge and potentially adds greater depth to the ‘going
concern’ assumption. BCM involves hybrid specialists in IT
and emergency management among others, and has
moved up the agenda of ?nancial regulators because of
their interest in systemic risk (FSA 2006). BCMis also much
more explicit about its own epistemological challenge: it
only has real value-at the level of collective action. BCM is
sensitive to the need to get beyond prescriptions for single
organizations acting in isolation from one another; the
integrity of any individual company BCM is necessarily a
function of the BCM of its key commercial partners – not
only suppliers but also competitors. Indeed, continuity of
critical supply chains, including energy, is both a key busi-
ness issue and also a powerful normalising metaphor for
this new angle of approach to risk management (Knowl-
edge@Wharton, 2009).
BCM is fundamentally unlike discrete risk management
practices such as ERM in its self understanding. It is pre-
mised on the necessity of representing the interconnected
nature of commercial life, as revealed in outsourcing
arrangements and other strategic alliances. When it comes
to BCM, one might say, perhaps obviously, that ‘no enter-
prise is an island’. However, as appealing as these ideas
may be, there remain considerable institutional barriers
to collective action of this kind: ‘getting organizations to
recognize these interdependencies and achieving the com-
mitment required to actively manage resilience issues
which require collective rather than individual ownership
remains a signi?cant challenge’ (Joint Forum, 2006: 8).
The risk with BCM, as with all safety measures and security
checking, is that underinvestment in part of an intercon-
nected system undermines efforts elsewhere and creates
only illusions of security. This is the classic moral hazard
problem for risk management of the ‘commons’ (Kunreu-
ther & Heal, 2005).
In conclusion, I suggest normatively that BCM and its
non-accounting expertise base may provide a more succ-
cesful knowledge platform for rethinking risk manage-
ment. BCM may not have the surface coherence or
legitimacy of ERM frameworks but it operates with a no-
tion of embeddedness as interconnectedness, which is both
closer to the insights of economic sociologists and aligned
with the interests of macro-prudential regulators. So in the
quirky and evolving world of BCM practice there is a nas-
cent recognition that security is only possible as a collec-
tive activity. While this is far from being unproblematic,
it contrasts with ERM, where we now know that security
is at best limited to certain states of the world and at worst
is illusory. Indeed, ERM may be framed by the wrong
experts pursuing the wrong kind of embeddedness for in-
ward looking clients. Despite and because of its stagger-
ingly successful diffusion, it ends up as the costly risk
management of nothing.
Conclusions
Beck (1992: 69) tells us that society has become a lab-
oratory (p. 69), although today it is the ?nancial, rather
than the scienti?c, engineers who have been experiment-
ing.
3
He suggests that in a risk society there are no longer
any experts as our faith in a central steering mechanism
for societies is challenged by the evident and public ‘per-
plexity of authorities’ (1992: 40). In 2009, this perplexity
is very likely to lead to demands for more and better risk
3
Of course, ?nancial ‘engineering’ has been a lucrative career destination
for science and engineering graduates.
M. Power / Accounting, Organizations and Society 34 (2009) 849–855 853
management, yet we should be very cautious about how the
risk management reform agenda is progressed. ERM may be
more symptom of where we have been rather than the cure
for the future.
I have suggested that a thin conception of ‘risk appetite’
predominantly focused on capital rather than human
behaviour is an important source of ‘intellectual failure’
within the ERM model which should be addressed by reg-
ulators, senior management and boards. The latter are
beginning to break free from regarding appetite solely as
a ‘thing’ to be measured and to recognise it as a dynamic
construction involving values and the situational experi-
ence of a multitude of organizational agents. Rather than
vague demands for improved ‘risk culture’ and governance
in ?nancial institutions, it could be useful to focus on ‘risk
appetite’ as a process for representing and intervening in
the complex ecology of operational values and shifting eth-
ical limits. This will give rise to a less comfortable and less
comfort-producing risk management practice. We now
know, at some cost, that the production of psychological
and bureaucratic safety via an elaborate infrastructure of
audit trails is of limited value in intelligently challenging
business models. Risk management practices of this kind
only work in an orderly world of medium frequency, med-
ium impact mishaps.
The ERM approach has served an advisory world well by
establishing a conceptual foothold for accounting knowl-
edge in strategising discourses. Yet, within ERM frame-
works the objectives of a business which are ‘at risk’ are
more or less an exogenous input into the model with the
consequence that it is hard to enlist such a framework in
challenging the objectives themselves. For example, ERM
is unlikely to supply the basis for addressing the dynamics
of what Hirschhorn (1999) calls ‘primary risk’, namely
where organizations experience ambiguity, drift or trans-
formation in their core objectives, and hence business
models, as seems to have happened to a number of banks.
Despite calls to be outward looking, ERM has operated as a
boundary preserving model of risk management, rather
than a boundary challenging practice which confronts
and addresses the complex realities of interconnectedness.
We cannot know for sure whether changing the risk
management narrative in these directions could have
avoided or mitigated the crisis, but we can be sure that
existing risk management designs have let us down, and
many people knew this. Critics of Basel 2 and Sarbanes-Ox-
ley prior to 2007 were plentiful. So the question must be
asked: why could these not-so-weak signals be ignored?
One depressing answer is that the growth of risk
management from the mid-1990s onwards – the risk man-
agement of nearly everything – was less about managing
risk as it is formally understood and more about creating
organizational rhythms of accountability, and auditable
representations of due process. We have fallen prey to a
legitimacy-driven style of risk management which has been
extensively institutionalised and globalised, and important
issues of ‘risk appetite’ have become lost in the procedural
detail of organization-speci?c internal control, compliance
and accounting systems.
No individual person, or group of persons, calling
themselves accountants is responsible and blameworthy,
despite political efforts to make heads of professional ser-
vice ?rms feel very uncomfortable. The problem goes much
deeper: no less than an accounting style of knowing and a
logic of auditability are responsible for restricting the
development of a risk management which might have
done a better job. But there is plenty of blame to go around
when it comes to knowledge. The social sciences have col-
luded, directly and indirectly, with the failings of this
accounting style of knowing in general and ERM in partic-
ular. Financial economics has constructed a dominant con-
ception of risk appetite via the register of economic capital
metrics, and business schools have produced case studies
and surveys which celebrate the implementation progress
of ERM and castigate the stragglers. Yet ERM designs have
also been conceptually cut off from other currents of the
social sciences and older analyses and debates about ‘reli-
ability seeking’ organizations’ which might be relevant to
the banking sector (LaPorte & Consolini, 1991). Worse still
perhaps, the ?eld of economic sociology has been unable or
unwilling to translate its insights in a manner which might
inform and in?uence policy. We now all know what eco-
nomic sociologists and anthropologists have taken as a gi-
ven for many decades: large ?nancial institutions are
embedded in society, and always have been. Only the
‘legalistic illusion’ of separate entityhood backed the neo-
liberal belief in the coordinating priority of the market
has led us to think of them as autonomous islands. Their
embeddedness in all our lives is now formally registered
in varieties of state ownership and guarantee, but many
scholars knew that such guarantees and backing were al-
ways implicitly the case.
In short, the ‘intellectual failure’ of this ?nancial crisis
may be much closer to the home of Accounting, Organiza-
tions and Society readers than we might care to imagine.
References
Ahrne, G., & Brunsson, N. (2006). Organizing the world. In M.-L. Djelic & K.
Sahlin-Andersson (Eds.), Transnational governance: Institutional
dynamics of regulation (pp. 74–94). Cambridge: Cambridge
University Press.
Beck, U. (1992). Risk society – Towards a new modernity. London: Sage.
Briloff, A. J. (2001). Garbage in/garbage out: A critique of fraudulent
?nancial reporting: 1987–1997 (the COSO report) and the SEC
accounting regulatory process. Critical Perspectives on Accounting,
12(2), 125–148.
COSO (2004). Enterprise risk management. Committee of the Sponsoring
Organizations of the Treadway Commission. .
Drori, G. (2006). Governed by governance: The new prism for
organizational change. In G. Drori, J. Meyer, & H. Hwang (Eds.),
Globalization and Organization: World Society and Organizational
Change (pp. 91–118). Oxford: Oxford University Press.
Fligstein, N., & Dauter, L. (2007). The sociology of markets. Annual Review
of Sociology, 33, 105–128.
FRC (2005). Internal control – Revised guidance for directors on the combined
code. London: Financial Reporting Council.
Frey, B., & Jegen, R. (2001). Motivation crowding theory. Journal of
Economic Surveys, 15(1), 589–611.
Froud, J., Haslam, C., Johal, S., & Williams, K. (2000). Shareholder value and
?nancialization: Consultancy promises, management moves.
Economy and Society, 29(1), 80–110.
FSA (2006). Business continuity management practice guide. London:
Financial Services Authority [November].
Hall, J., & Johnson, M. (2009). When should a process be art not science?
Harvard Business Review march, 58, 65.
Hirschhorn, L. (1999). The primary risk. Human Relations, 52(1), 5–23.
Holt, R. (2004). Risk management: The talking cure. Organization, 11(2),
251–270.
854 M. Power / Accounting, Organizations and Society 34 (2009) 849–855
Hood, C. (1996). Where extremes meet: ‘‘SPRAT” versus ‘‘SHARK” in
public risk management. In C. Hood & D. Jones (Eds.), Accident and
design (pp. 208–227). London: UCL Press.
Hopwood, A. G. (1974). Leadership climate and the use of accounting data
in performance evaluation. The Accounting Review, 49(3), 485–495.
Joint Forum (2006). High level principles for business continuity. Basel
Committee on Banking Supervision.
Knowledge@Wharton (2009). Re-thinking risk management: Why the
mindset matters more than the model. .
Kunreuther, H., & Heal, G. (2005). Interdependencies within an
organization. In B. Hutter & M. Power (Eds.), Organizational encounters
with risk (pp. 190–208). Cambridge: Cambridge University Press.
LaPorte, T., & Consolini, P. (1991). Working in theory but not in practice:
Theoretical challenges of ‘‘high reliability organizations”. Journal of
Public Administration Research and Theory, 1, 19–47.
March, J., & Shapira, Z. (1987). Managerial perspectives on risk and risk
taking. Management Science, 33(11), 1404–1418.
Mayo, D., & Hollander, D. (Eds.). (1991). Acceptable evidence: Science and
values in risk management. Oxford: Oxford University Press.
McGivern, G., & Ferlie, E. (2007). Playing tick-box games: Interrelating
defences in professional appraisal. Human Relations, 60, 1361–1385.
Meyer, J. (2002). Globalization and the expansion and standardization of
management. In K. Sahlin-Andersson & L. Engwall (Eds.), The
Expansion of Management Knowledge: Carriers, Flows and Sources
(pp. 33–44). Stanford: Stanford University Press.
Mikes, A. (2009). Risk management and calculative cultures. Management
Accounting Research, 20(1), 18–40.
O’Malley, P. (2004). Risk, uncertainty and government. London: Glasshouse
Press.
Pentland, B. T. (1993). Getting comfortable with the numbers: Auditing
and the micro-production of macro-order. Accounting, Organizations
and Society, 18(7/8), 605–620.
Power, M. (2004). The risk management of everything. London: Demos.
Power, M. (2007). Organized uncertainty: Designing a world of risk
management. Oxford: Oxford University Press.
Robinson, D. (2007). Control theories in sociology. Annual Review of
Sociology, 33, 157–174.
Scott, J. (1998). Seeing like a state: How certain schemes to improve the
human condition have failed. New Haven, Ct.: Yale University Press.
Silbergeld, E. (1991). Risk assessment and risk management: An uneasy
divorce. In D. Mayo & D. Hollander (Eds.), Acceptable evidence: Science
and values in risk management (pp. 99–114). Oxford: Oxford
University Press.
Simons, R. (1999). How risky is your company? Harvard Business Review,
77(May–June), 85–94.
Stulz, R. (2009). Six ways companies mismanage risk. Harvard Business
Review, 86–94 [March].
Turner, B. (1976). The organizational and inter-organizational
development of disasters. Administrative Science Quarterly, 21(3),
378–397.
Turner, A. (2009). Forward by the chairman. Financial services authority
business plan 2009/10. London: Financial Services Authority.
Whitley, R. (1986). The transformation of business ?nance into ?nancial
economics: The roles of academic expansion and changes in US
capital markets. Accounting, Organizations and Society, 11, 171–192.
Wynne, B. (1996). May the sheep safely graze? A re?exive view of the
expert-lay knowledge divide. In S. Lash, B. Szerszynski, & B. Wynne
(Eds.). Risk, environment and modernity: Towards a new ecology
(pp. 44–83). Sage.
M. Power / Accounting, Organizations and Society 34 (2009) 849–855 855
doc_377551333.pdf
This essay challenges core elements of enterprise risk management (ERM) and suggests
that an impoverished conception of ‘risk appetite’ is part of the ‘intellectual failure’ at
the heart of the financial crisis. Regulators, senior management and boards must understand
risk appetite more as the consequence of a dynamic organizational process involving
values as much as metrics. In addition, ERM has operated as a boundary preserving model
of risk management subject to the ‘logic of the audit trail’, rather than a boundary challenging
practice which confronts and addresses the complex realities of interconnectedness.
The security provided by ERM is at best limited to certain states of the world and at worst
it is illusory – the risk management of nothing. In contrast, Business continuity management
(BCM) may provide clues about how risk management might be reconstructed.
The risk management of nothing
q
Michael Power
London School of Economics and Political Science, Dept. of Accounting and Finance and ESRC, Centre for Analysis of Risk and Reg., Houghton Street,
WC2A 2AE London, United Kingdom
a r t i c l e i n f o a b s t r a c t
This essay challenges core elements of enterprise risk management (ERM) and suggests
that an impoverished conception of ‘risk appetite’ is part of the ‘intellectual failure’ at
the heart of the ?nancial crisis. Regulators, senior management and boards must under-
stand risk appetite more as the consequence of a dynamic organizational process involving
values as much as metrics. In addition, ERM has operated as a boundary preserving model
of risk management subject to the ‘logic of the audit trail’, rather than a boundary challeng-
ing practice which confronts and addresses the complex realities of interconnectedness.
The security provided by ERM is at best limited to certain states of the world and at worst
it is illusory – the risk management of nothing. In contrast, Business continuity manage-
ment (BCM) may provide clues about how risk management might be reconstructed.
Ó 2009 Elsevier Ltd. All rights reserved.
Introduction
It is far easier to blame individuals than entire systems
of thought; senior executives of failed organizations can be
asked to apologise in public, but the architecture of
concepts and assumptions within which they operate is
less visible and accountable. Yet if the roots of this ?nan-
cial crisis do indeed lie in a ‘wide ranging intellectual fail-
ure’ (Turner, 2009: p. 5), it is necessary to shift the focus of
blame and analysis from the usual human suspects, not-
withstanding what might be thought of them as individu-
als, and consider much harder questions of knowledge. In
this essay, I focus on the near theological belief in enter-
prise risk management (ERM) and suggest that it is deeply
implicated in a widespread failure of managerial and regu-
latory intelligence, despite the fact that many good and
capable people are involved in its operationalisation. In-
deed, policy makers need to understand the limitations
of ERM as a platform for institutional re-building.
ERM is not a single thing, conceptually or practically. At
the level of design ERM is a label for a system of concepts
which have grown in organizational signi?cance since the
mid-1990s, arguably the period of ‘incubation’ (Turner,
1976) for the present crisis. The basic conception, as re-
vealed in a vast body of guidance, is simple and super?-
cially uncontentious: risk management and mitigation
processes should be explicitly related to organizational
and sub-organizational objectives. Prescriptively, organiza-
tions should seek to identify all material risks to their
objectives and sub-objectives, design controls and mitiga-
tions which produce a residual risk consistent with a target
risk appetite, and monitor this entire process, making
feedback adjustments as necessary. The model is that of
a thermostat which adjusts to changes in environment
subject to pre-given target temperature. From this some-
what mechanical point of view, problems with ERM are
typically attributed by surveys of practice to implementa-
tion de?cits and operational frictions – ‘if only we could
do it properly’ – rather than the design philosophy itself.
While ERM has numerous sources feeding the same
basic idea, the COSO (2004) version has become a world-
level template for best practice over a short period of time
(Power, 2007). COSO stands for the Committee of Sponsor-
ing Organizations of the Treadway Commission, an
‘organizing organization’ (Ahrne & Brunsson, 2006) or
coalition of the main accounting and ?nance trade
0361-3682/$ - see front matter Ó 2009 Elsevier Ltd. All rights reserved.
doi:10.1016/j.aos.2009.06.001
q
The author is grateful for the helpful comments of Peter Bonisch and
Anthony Hopwood.
E-mail address: [email protected]
Accounting, Organizations and Society 34 (2009) 849–855
Contents lists available at ScienceDirect
Accounting, Organizations and Society
j our nal homepage: www. el sevi er. com/ l ocat e/ aos
associations in the United States and formed in the light of
concerns about fraudulent ?nancial reporting in the mid-
1980s.
1
The Treadway Commission reported its ?ndings in
1987 and COSO published guidance on internal control in
1992.
2
This guidance provides the antecedent conceptual
building blocks for the 2004 framework for enterprise risk
management, hence a direct line of in?uence on ERM can
be traced to an accounting conception of internal control, it-
self a product of broader engineering conceptions of control
theory. So the ERM model is strongly, if not exclusively,
in?uenced by accounting and auditing norms of control,
with an emphasis on process description and evidence.
The programmatic aspiration of ERM is twofold. First,
like any managerial innovation, it promises that mistakes
of the past will be mitigated, if not avoided, by a more ra-
tional and synthetic conception of risk management capa-
ble of a ‘canopy-like’ view of the organization (Drori, 2006).
For example, ERM is closely associated with a conception
of integrated risk management at the ?rm level, an integra-
tion which promises more ef?cient use of scarce capital,
the ability to charge business units according to the
amount of capital they place at risk, and more coherent
insurance strategies which recognise the natural diversi?-
cation bene?ts at work in any large organization. Second,
ERM also embodies an aspiration for enterprising risk man-
agement, namely a conception of risk management which
is positive, entrepreneurial and explicitly in the service of
wealth creation: ‘risks are no longer the dark side of oppor-
tunities, they are also market opportunities’ (Beck, 1992:
46). From this it is easy to articulate a win–win logic of
ERM; good risk management is good business.
Yet, for all the self-evidence of its conceptual elements
and its core aspirations, I argue below that ERM is ?awed
at the level of design in three fundamental ways that de-
serve attention. First, I suggest that the ‘enterprise-wide’
view and the related notion of a singular organizational
risk appetite are highly problematic. Indeed, the design
and focus of ERM necessarily impoverishes a conception
of risk appetite as organizational process. Second, the
sources of this impoverishment lie in the deep complicity
of ERM in the expanded signi?cance of a ‘logic of auditabil-
ity’. The proliferation of detailed process-based rules for
risk management is normally assumed to be a defect of
implementation, yet accounting ideals of internal control
are embedded in the design itself, resulting in a style of risk
management practice with wide and seductively expansive
reach – the risk management of everything (Power, 2004).
Third, the resulting expensive narratives of risk account-
ability have proven to be incapable of articulating and
comprehending critical risks, particularly those associated
with interconnectedness. ERM operates with a limited con-
ception of embeddedness, although developments in busi-
ness continuity management suggest a way beyond ERM,
and its accounting knowledge base, which take intercon-
nectedness as a given.
Risk enterprising and appetising
The very idea of risk ‘appetite’, which is at the heart of
risk management practice, is closely bound up with the
neoliberal postulation of organizations as ‘enterprising’
selves. Whereas a longstanding public sector tradition in
health and safety has operated with the notion of risk ‘tol-
erance’, the category of ‘risk appetite’ has a less precau-
tionary connotation and is aligned with that of the
enterprising actor. This is consistent with Meyer (2002)
and others who have drawn attention to the ‘explosion of
organizing and organizations’ which characterises recent
times, and to the emergence of a distinctive organizational
actorhood which is con?dent, self-knowing and autono-
mous. Contemporary conceptions of risk appetite re?ect
this world-level conception and articulate organizations
as legitimate risk-takers on behalf of society. From this
point of view, the ‘enterprise’ concept infuses the ‘organi-
zation-wide’ character of enterprise risk management
(ERM) with an entrepreneurial, risk-taking normativity,
which requires that organizations and individuals know
their appetite for risk (O’Malley, 2004).
The ambition to represent an organization as an inte-
grated whole is something which ERM shares with ?nan-
cial accounting. Such ambitions are widespread in public
policy and regulation. Scott (1998) and others suggest that
all such programmatic dreams are doomed to failure; not
least because their ‘thin simpli?cations’ are inadequate to
reproduce domain-speci?c complexity. ‘Seeing like a state’
requires many things to be ignored, but these overlooked
‘frictions’ eventually re-impose themselves and take re-
venge on policy makers. Similarly ERM is a policy blueprint
for seeing ‘like’ an ideal-typical organization. Developing
the capacity to ‘visualise’ the whole of an organization
via risk maps as a unitary and intentionalistic actor con-
veys a form of statehood on organizations. Through ERM
they are required to act on, and govern, themselves.
While the enterprise-wide view, as articulated in stan-
dards and guidelines for ERM, expresses and symbolises
the ?rm as an intelligent and intentional actor, it does so
in a reductive manner consistent with a cybernetic or ma-
chine like representation of action. Such representations of
control and what it is to be in control have invited critical
analysis (e.g. Robinson, 2007). At the heart of the machine
idea the category of ‘risk appetite’ names the value inputs
which, in theory, prescribe triggers, limits and tolerances
for feedback and control purposes. For example, of?cial
standards like those of COSO de?ne risk appetite as the
amount of risk an entity is willing to bear, an amount which
can be rationally determined by senior management of an
organization.
Although, COSO (2004) envisages the possibility of
‘qualitative’ understandings of risk appetite, the dominant
conception is that of a quantitative benchmark such as a
target level of ?nancial capital to be maintained. In theory,
capital is a buffer of high quality and liquid assets held as a
kind of self-insurance against shocks and adverse events.
While capital is at the heart of prudential regulatory phi-
losophies, the actual level may exceed regulatory require-
ments to re?ect a desired credit rating. However, even
allowing for issues of de?nition and measurement, this
1
The sponsors of COSO include: The American Institute of Certi?ed
Public Accountants; The Institute of Internal Auditors; the Financial
Executives International, the Institute of Management Accountants and
the American Accounting Association.
2
For a critical evaluation of COSO see Briloff (2001).
850 M. Power / Accounting, Organizations and Society 34 (2009) 849–855
concept of capital embodies, and conceals, at least two
kinds of preference – those of society, as expressed by
the law and enforced by a ?nancial regulator, and those
of the entity itself in its economic pursuits. In turn, this
suggests that the very concept of risk appetite necessarily
implicates the question of ‘whose appetite counts?’
This question about risk appetite is hardly very new. It
was vigorously debated in the context of health and safety
regulation in the 1970s and 1980s (Mayo & Hollander,
1991) where the relationship between risk analysis and
risk management was at issue. Proponents of a sharp dis-
tinction between analysis and management argued that
the former is essentially ‘scienti?c’ and neutral while the
latter is value laden, embodying ideas of risk tolerance
and acceptability as inputs into the management process.
This sharp duality was challenged by the view that values
pervade so-called scienti?c analysis itself because risks are
selected and framed (March & Shapira, 1987; Silbergeld,
1991). Furthermore, the values which enter the risk analy-
sis and management process may and should be contested
by different groups. Several authors argued strongly
against the authority of experts in matters of public risk
tolerance (e.g. Wynne, 1996).
It is interesting that, unlike environmental regulation,
?nancial regulation has been relatively immune to debates
of this kind. Such a debate would surely have problema-
tized the predominantly technical articulation of risk appe-
tite by COSO and others, especially for socially signi?cant
organizations like banks. The conception of ‘appetite’ as a
singular input into ERM re?ects the ‘thermostatic’ concep-
tion of risk management noted above. In stark contrast,
Hood (1996) imagines a model of institutionalized con?ict
between different ‘appetites’, for example laterally be-
tween sales and control functions, or hierarchically be-
tween senior management and traders. Even control
functions can vary internally their values and ‘calculative
culture’ (Mikes, 2009; Power, 2007). Hood argues that such
a con?ictual and pluralistic model is more descriptive of
how organizations actually work, and makes lower de-
mands on organizational and political rationality to pro-
duce a single ‘appetite’ by explicitly recognising and
institutionalising processes by which different appetites
and values can be mediated. The process of synthesis is
undoubtedly a signi?cant senior management challenge.
These ideas are promising for progressing the broad con-
cerns about governance failure as a cause of the ?nancial
crisis. The governance failure is in fact a knowledge failure.
Conceptualising risk appetising as a process might better di-
rect risk management attention to where it has likely been
lacking, namely to the multiplicity of interactions which
shape operational and ethical boundaries at the level of orga-
nizational practice. COSO-style ERM principles effectively
limit the concept of risk appetite within a capital measure-
ment discourse. Framing risk appetite as the process
through which ethics and incentives are formed and re-
formed would not exclude this technical conception, but
would bring it closer to the insights of several decades of
organization theory. While the shape of this risk appetising
process needs more speci?cation, as a starting point it is
more aligned with contemporary concerns about gover-
nance and may give these concerns more traction.
How has the ERM conception of risk management
gained such a strong institutional foothold? The answer
is complex but would point to cultural and epistemological
processes of ?nancialization which have shaped the
increasingly reductive manner in which organizations are
conceptualised, known, managed and regulated (Froud,
Haslam, Johal, & Williams, 2000; Whitley, 1986). Yet while
it is tempting to criticise ?nancial economics and the over-
con?dence in tools, such as value-at- risk modelling, it may
be that the accounting and auditing knowledge base which
has been diffused by COSO has been much more signi?cant
in limiting a more intelligent conceptualisation of risk
appetite as a process. COSO (2004) says very little about
risk appetite relative to its emphasis on the elements of
internal control and governance. It is a design which
strongly reproduces the accountants’ conception of what
matters.
In summary: the concept of ‘risk appetite’ has been pro-
moted as part of the widespread diffusion of ERM, yet
understanding of the concept and its implications is weak
relative to the more bureaucratic elements of the frame-
work. COSO and similar risk management texts presume
that risk appetite can be unambiguously known and
understood by organizations and the individuals within
them. Yet, such a presumption ?ies in the face of behav-
ioural studies which suggest that decisions in the face of
risk are subject to framing and biases (e.g. March & Shapi-
ra, 1987). Add to this an extension of Arrow’s famous the-
orem which suggests that preferences cannot be
consistently aggregated and it is clear that organizations,
as much as societies, are constituted by varieties of risk
appetites which change over time and according to con-
text. COSO-style ‘risk appetite’ is at best an approximate
description of the mix of attitudes and values about oper-
ational and ethical conduct which pervade organizational
life. At worst it is fundamentally misleading. As policy
makers search the rubble for new ideas, they could do
worse than correct the COSO emphasis on control elements
and conceptualise risk appetising as an organizational pro-
cess. Such a reformulation would suggest, rather obviously
with the bene?t of hindsight, that the actions of different
members of an organization may reveal different attitudes
to risk. This would not make risk management easy, but it
would have a much better chance to represent and focus
on issues about governance quality which now preoccupy
regulators. Without this focus the formalities of risk appe-
tite as expressed in a corporate policy document provide
only symbolic security. However, a huge barrier to a richer
and more meaningful ecology of values within the risk
management process is the smothering normativity of
the accounting and auditing logic, which I now consider.
Making easy things auditable
The promise of ‘rational’ organizational and, by implica-
tion, societal safety in ERM as developed during the 1990s
was celebrated as a correction to risk myopia – the so-
called silo mentality – and was to promote more ef?cient
use of capital in ?nancial and non-?nancial institutions
alike (COSO, 2004). Yet, as noted above, COSO-based ERM
M. Power / Accounting, Organizations and Society 34 (2009) 849–855 851
is fundamentally an accounting-driven blueprint which
emphasises a controls-based approach to risk manage-
ment. This design emphasis means that efforts at imple-
mentation will have an inherent tendency to elaborate
detailed controls with corresponding documents trails.
Perhaps the most extreme example of this phenomenon
has been the experience of the Sarbanes-Oxley legislation
since it was passed in 2002. Demands under section 404
for evidence of effective controls over ?nancial statements
were ampli?ed by a combination of auditors and manage-
ment. Despite efforts to rewrite audit guidance, an ‘audit
trail’ logic continues to organize practice to a considerable
degree despite very extensive public criticism. Indeed,
‘box-checking’ may be widely derided, but as a legitimised
evidence base for the supposed effectiveness of control and
risk management activities, it remains durable.
The power of this logic of auditability in shaping think-
ing raises an immediate policy issue about the epistemo-
logical balance within risk management practice. Put
somewhat stereotypically, the ?nancial crisis suggests an
urgent need to shift cognitive and economic resources
from‘rule-based compliance’ towards the ‘critical imagina-
tion of alternative futures’.
Rule-based compliance lays down regulations to be
met, and requires extensive evidence, audit trails and box
‘checking’. All this demands considerable work and there
is daily pressure on operational staff to process regulatory
requirements. Yet, despite the workload volume pressure,
this is also a cognitively comfortable world which focuses
inwards on routine systems and controls. The auditability
of this controls architecture can be theorized as a defence
against anxiety and enables organizational agents to feel
that their work conforms to legitimised principles (McGi-
vern & Ferlie, 2007). This world of precise rules is expen-
sive and potentially distracting, and intrinsic motivation
may be polluted by extrinsic rules (Frey & Jegen, 2001),
but its underlying logic is also psychologically and institu-
tionally attractive, and persists because it offers a regu-
lated transparency to the risk management process.
While many risk and compliance people at the operational
level prefer this less ambiguous and more rule-based
world, it is also a rather dangerous generalised and stan-
dardized orientation for organizations, regulatory bodies
and societies (e.g. Hall & Johnson, 2009).
In contrast, the ‘critical imagination of alternative fu-
tures’ is loosely related to what ?nancial regulators call
stress-testing, but as an ideal-typical risk management
style we might characterise it as a less comfortable arena
for organizational agents which is explicitly directed at
creating ambiguity and challenge to core elements of busi-
ness models. Because such core elements often form an
organizational belief system (Simons, 1999), the imagina-
tion of alternative futures is likely to involve the produc-
tion of discomfort, as compared with formal ‘comfort’ of
auditing (Pentland, 1993). The approach can take the form
of scenario analysis in which participants from different
disciplines in an organization can collectively track the
trajectory of potential decisions and events. The process
begins as an ‘encounter’ with risk and leads to the confron-
tation of limitation and ambiguity (e.g. Stulz, 2009). Such
stress-testing ought in fact to produce stress and anxiety
of a different kind, arising not from a concern for legiti-
macy but from the nature of knowledge and uncertainty
itself.
The difference between these two orientations is, as
noted, stereotypical, and there is quite a bit of middle
ground. But the difference is instructive nevertheless.
Within a rule-based, compliance model of risk manage-
ment, many small actions are needed to ?x things and to
give risk managers a sense of doing something. There is
no shortage of work and overload is the norm. By contrast,
stress-testing produces uncertainty and alternative futures
become an invitation to deliberation, rather than the crea-
tion of an ‘auditable’ fact (Holt, 2004). Yet such an orienta-
tion as a local, interactive process with its own decision
making ‘style’ (Hopwood, 1974) is also likely to be trans-
formed by centralised demands for proof. This potential
transformation and capture by a logic of practice which
prioritises the ‘audit trail’ is a critical challenge to contem-
porary ?nancial regulators, who are themselves under the
spell of the ERM blueprint because it allows them to super-
vise organizational conformity to it. The challenge is to ex-
pand processes which support interaction and dialogue
and de-emphasise due process – both within risk manage-
ment practice and between regulator and regulated. The
normative policy need is to nurture regulatory and mana-
gerial capacity to develop and sustain a rich and varied risk
management ecology which is not biased to a logic of audit
and its demands for evidence, and which can tolerate a mix
of decision styles and strategies.
The wrong kind of embeddedness?
The need to embed ‘risk management and internal con-
trol systems within business processes’ (FRC, 2005: 3) has
become an unquestioned ERM imperative yet there is very
little elaboration of what that might involve. Regulators
look for the inclusion of risk in job descriptions and for
business heads to be designated as ‘risk owners’. There is
also now an advisory consensus that risk should be a
critical optic in shaping budgeting, planning and strategy
processes. Yet the continuing existence of large risk man-
agement bureaucracies in organizations suggests that
embeddedness is both complex and elusive. Like risk
appetite, the accountants’ concept of embeddedness as
articulated in the Turnbull report is articulated at the level
of principle, leaving organizations to ?gure things out for
themselves.
The Turnbull norm of embeddedness is essentially en-
tity-based, bearing little or no relation to conceptions of
the embeddedness of the ?rm in wider social networks
as developed within economic sociology (Fligstein & Dau-
ter, 2007). Yet the ?nancial crisis is largely the result of a
failure to represent and understand entity interconnected-
ness in this wider sense of embeddedness.
It may seem unfair to criticise ERM for failing to do
something for which it was never designed in the ?rst
place, but there is a ‘conceptual complicity’ in its design,
namely a deep-seated commitment to the discrete ‘entity-
hood’ of enterprise, which is part of the problem. The en-
tity assumption is hardly new; arguably it pervades
852 M. Power / Accounting, Organizations and Society 34 (2009) 849–855
managerial and regulatory knowledge and is supported in
both law (corporate personality) and accounting (the en-
tity concept). And despite the evidence of decades on net-
works and strategic alliances, it is a ?ction or illusion
which may be funcationally necessary for capitalism. Yet,
ERM also marks out another very important vector of enti-
tyhood, namely that of the individual client as recipient of
advisory services. It is dif?cult, though not impossible for
?elds or even societies to be marked as clients, but it is pre-
dominantly at the enterprise level where ERM ?nds its
strongest conditions of applicability.
Prima facie it makes sense to leave the more systemic
view of interconnectivity to a body designed for that spe-
ci?c purpose, such as macro-prudential management of
the banking system by a regulator. However, since all
authorities have been surprised by this ?nancial crisis, the
relationship between enterprise level risk management
and macro-prudential management deserves to be revis-
ited. This is not simply an issue for ?nancial institutions;
two decades of environmental auditing at the enterprise le-
vel appear, super?cially at least, to be entirely unconnected
with the steady advance of climate change. The critical
point is that risk management designs like ERM are funda-
mentally unable to process and represent internally sys-
temic risk issues, since this would require an imagination
of externalities well beyond their design parameters. One
possible reason for this inability may lie in the economics
of professional work in the accounting-centred advice
industry. Large professional service ?rms tend to operate
with standardized and abstract elements applicable to a
mass of different ‘entities’. For rank and ?le accountants
to operationalise such frameworks cost effectively, they
must of necessity be weak on the kind of causal analysis
necessary for an understanding of interconnectedness.
In this way, questions of the knowledge base of ERM
connect to the wider political economy of professional
advisory ?rms – the very ?rms who will be enlisted and
will offer themselves in reforming risk management prac-
tice. ERM systems cannot represent embeddedness in the
sense of interconnectedness; its proponents seem only to
demand an intensi?cation of embedding at the individual
entity level. Yet, this latter kind of embedding of a compli-
ance driven risk management, epitomised by the Sarbanes-
Oxley legislation, is arguably a disaster in itself, by tying up
resources and, much worse, cognition and attention in
‘auditized’ representations of business processes.
All is not lost. At the margins of the ERM consensus,
there are interesting developments which may produc-
tively challenge ‘entityhood’. Business continuity manage-
ment (BCM) has been a rapidly developing and hybrid ?eld
in recent years. Not only is it an increasingly prominent
part of the changing risk management agenda, it is also a
practice area where interconnectivity risks are central.
BCM has originated outside of the accounting ?eld of
knowledge and potentially adds greater depth to the ‘going
concern’ assumption. BCM involves hybrid specialists in IT
and emergency management among others, and has
moved up the agenda of ?nancial regulators because of
their interest in systemic risk (FSA 2006). BCMis also much
more explicit about its own epistemological challenge: it
only has real value-at the level of collective action. BCM is
sensitive to the need to get beyond prescriptions for single
organizations acting in isolation from one another; the
integrity of any individual company BCM is necessarily a
function of the BCM of its key commercial partners – not
only suppliers but also competitors. Indeed, continuity of
critical supply chains, including energy, is both a key busi-
ness issue and also a powerful normalising metaphor for
this new angle of approach to risk management (Knowl-
edge@Wharton, 2009).
BCM is fundamentally unlike discrete risk management
practices such as ERM in its self understanding. It is pre-
mised on the necessity of representing the interconnected
nature of commercial life, as revealed in outsourcing
arrangements and other strategic alliances. When it comes
to BCM, one might say, perhaps obviously, that ‘no enter-
prise is an island’. However, as appealing as these ideas
may be, there remain considerable institutional barriers
to collective action of this kind: ‘getting organizations to
recognize these interdependencies and achieving the com-
mitment required to actively manage resilience issues
which require collective rather than individual ownership
remains a signi?cant challenge’ (Joint Forum, 2006: 8).
The risk with BCM, as with all safety measures and security
checking, is that underinvestment in part of an intercon-
nected system undermines efforts elsewhere and creates
only illusions of security. This is the classic moral hazard
problem for risk management of the ‘commons’ (Kunreu-
ther & Heal, 2005).
In conclusion, I suggest normatively that BCM and its
non-accounting expertise base may provide a more succ-
cesful knowledge platform for rethinking risk manage-
ment. BCM may not have the surface coherence or
legitimacy of ERM frameworks but it operates with a no-
tion of embeddedness as interconnectedness, which is both
closer to the insights of economic sociologists and aligned
with the interests of macro-prudential regulators. So in the
quirky and evolving world of BCM practice there is a nas-
cent recognition that security is only possible as a collec-
tive activity. While this is far from being unproblematic,
it contrasts with ERM, where we now know that security
is at best limited to certain states of the world and at worst
is illusory. Indeed, ERM may be framed by the wrong
experts pursuing the wrong kind of embeddedness for in-
ward looking clients. Despite and because of its stagger-
ingly successful diffusion, it ends up as the costly risk
management of nothing.
Conclusions
Beck (1992: 69) tells us that society has become a lab-
oratory (p. 69), although today it is the ?nancial, rather
than the scienti?c, engineers who have been experiment-
ing.
3
He suggests that in a risk society there are no longer
any experts as our faith in a central steering mechanism
for societies is challenged by the evident and public ‘per-
plexity of authorities’ (1992: 40). In 2009, this perplexity
is very likely to lead to demands for more and better risk
3
Of course, ?nancial ‘engineering’ has been a lucrative career destination
for science and engineering graduates.
M. Power / Accounting, Organizations and Society 34 (2009) 849–855 853
management, yet we should be very cautious about how the
risk management reform agenda is progressed. ERM may be
more symptom of where we have been rather than the cure
for the future.
I have suggested that a thin conception of ‘risk appetite’
predominantly focused on capital rather than human
behaviour is an important source of ‘intellectual failure’
within the ERM model which should be addressed by reg-
ulators, senior management and boards. The latter are
beginning to break free from regarding appetite solely as
a ‘thing’ to be measured and to recognise it as a dynamic
construction involving values and the situational experi-
ence of a multitude of organizational agents. Rather than
vague demands for improved ‘risk culture’ and governance
in ?nancial institutions, it could be useful to focus on ‘risk
appetite’ as a process for representing and intervening in
the complex ecology of operational values and shifting eth-
ical limits. This will give rise to a less comfortable and less
comfort-producing risk management practice. We now
know, at some cost, that the production of psychological
and bureaucratic safety via an elaborate infrastructure of
audit trails is of limited value in intelligently challenging
business models. Risk management practices of this kind
only work in an orderly world of medium frequency, med-
ium impact mishaps.
The ERM approach has served an advisory world well by
establishing a conceptual foothold for accounting knowl-
edge in strategising discourses. Yet, within ERM frame-
works the objectives of a business which are ‘at risk’ are
more or less an exogenous input into the model with the
consequence that it is hard to enlist such a framework in
challenging the objectives themselves. For example, ERM
is unlikely to supply the basis for addressing the dynamics
of what Hirschhorn (1999) calls ‘primary risk’, namely
where organizations experience ambiguity, drift or trans-
formation in their core objectives, and hence business
models, as seems to have happened to a number of banks.
Despite calls to be outward looking, ERM has operated as a
boundary preserving model of risk management, rather
than a boundary challenging practice which confronts
and addresses the complex realities of interconnectedness.
We cannot know for sure whether changing the risk
management narrative in these directions could have
avoided or mitigated the crisis, but we can be sure that
existing risk management designs have let us down, and
many people knew this. Critics of Basel 2 and Sarbanes-Ox-
ley prior to 2007 were plentiful. So the question must be
asked: why could these not-so-weak signals be ignored?
One depressing answer is that the growth of risk
management from the mid-1990s onwards – the risk man-
agement of nearly everything – was less about managing
risk as it is formally understood and more about creating
organizational rhythms of accountability, and auditable
representations of due process. We have fallen prey to a
legitimacy-driven style of risk management which has been
extensively institutionalised and globalised, and important
issues of ‘risk appetite’ have become lost in the procedural
detail of organization-speci?c internal control, compliance
and accounting systems.
No individual person, or group of persons, calling
themselves accountants is responsible and blameworthy,
despite political efforts to make heads of professional ser-
vice ?rms feel very uncomfortable. The problem goes much
deeper: no less than an accounting style of knowing and a
logic of auditability are responsible for restricting the
development of a risk management which might have
done a better job. But there is plenty of blame to go around
when it comes to knowledge. The social sciences have col-
luded, directly and indirectly, with the failings of this
accounting style of knowing in general and ERM in partic-
ular. Financial economics has constructed a dominant con-
ception of risk appetite via the register of economic capital
metrics, and business schools have produced case studies
and surveys which celebrate the implementation progress
of ERM and castigate the stragglers. Yet ERM designs have
also been conceptually cut off from other currents of the
social sciences and older analyses and debates about ‘reli-
ability seeking’ organizations’ which might be relevant to
the banking sector (LaPorte & Consolini, 1991). Worse still
perhaps, the ?eld of economic sociology has been unable or
unwilling to translate its insights in a manner which might
inform and in?uence policy. We now all know what eco-
nomic sociologists and anthropologists have taken as a gi-
ven for many decades: large ?nancial institutions are
embedded in society, and always have been. Only the
‘legalistic illusion’ of separate entityhood backed the neo-
liberal belief in the coordinating priority of the market
has led us to think of them as autonomous islands. Their
embeddedness in all our lives is now formally registered
in varieties of state ownership and guarantee, but many
scholars knew that such guarantees and backing were al-
ways implicitly the case.
In short, the ‘intellectual failure’ of this ?nancial crisis
may be much closer to the home of Accounting, Organiza-
tions and Society readers than we might care to imagine.
References
Ahrne, G., & Brunsson, N. (2006). Organizing the world. In M.-L. Djelic & K.
Sahlin-Andersson (Eds.), Transnational governance: Institutional
dynamics of regulation (pp. 74–94). Cambridge: Cambridge
University Press.
Beck, U. (1992). Risk society – Towards a new modernity. London: Sage.
Briloff, A. J. (2001). Garbage in/garbage out: A critique of fraudulent
?nancial reporting: 1987–1997 (the COSO report) and the SEC
accounting regulatory process. Critical Perspectives on Accounting,
12(2), 125–148.
COSO (2004). Enterprise risk management. Committee of the Sponsoring
Organizations of the Treadway Commission. .
Drori, G. (2006). Governed by governance: The new prism for
organizational change. In G. Drori, J. Meyer, & H. Hwang (Eds.),
Globalization and Organization: World Society and Organizational
Change (pp. 91–118). Oxford: Oxford University Press.
Fligstein, N., & Dauter, L. (2007). The sociology of markets. Annual Review
of Sociology, 33, 105–128.
FRC (2005). Internal control – Revised guidance for directors on the combined
code. London: Financial Reporting Council.
Frey, B., & Jegen, R. (2001). Motivation crowding theory. Journal of
Economic Surveys, 15(1), 589–611.
Froud, J., Haslam, C., Johal, S., & Williams, K. (2000). Shareholder value and
?nancialization: Consultancy promises, management moves.
Economy and Society, 29(1), 80–110.
FSA (2006). Business continuity management practice guide. London:
Financial Services Authority [November].
Hall, J., & Johnson, M. (2009). When should a process be art not science?
Harvard Business Review march, 58, 65.
Hirschhorn, L. (1999). The primary risk. Human Relations, 52(1), 5–23.
Holt, R. (2004). Risk management: The talking cure. Organization, 11(2),
251–270.
854 M. Power / Accounting, Organizations and Society 34 (2009) 849–855
Hood, C. (1996). Where extremes meet: ‘‘SPRAT” versus ‘‘SHARK” in
public risk management. In C. Hood & D. Jones (Eds.), Accident and
design (pp. 208–227). London: UCL Press.
Hopwood, A. G. (1974). Leadership climate and the use of accounting data
in performance evaluation. The Accounting Review, 49(3), 485–495.
Joint Forum (2006). High level principles for business continuity. Basel
Committee on Banking Supervision.
Knowledge@Wharton (2009). Re-thinking risk management: Why the
mindset matters more than the model. .
Kunreuther, H., & Heal, G. (2005). Interdependencies within an
organization. In B. Hutter & M. Power (Eds.), Organizational encounters
with risk (pp. 190–208). Cambridge: Cambridge University Press.
LaPorte, T., & Consolini, P. (1991). Working in theory but not in practice:
Theoretical challenges of ‘‘high reliability organizations”. Journal of
Public Administration Research and Theory, 1, 19–47.
March, J., & Shapira, Z. (1987). Managerial perspectives on risk and risk
taking. Management Science, 33(11), 1404–1418.
Mayo, D., & Hollander, D. (Eds.). (1991). Acceptable evidence: Science and
values in risk management. Oxford: Oxford University Press.
McGivern, G., & Ferlie, E. (2007). Playing tick-box games: Interrelating
defences in professional appraisal. Human Relations, 60, 1361–1385.
Meyer, J. (2002). Globalization and the expansion and standardization of
management. In K. Sahlin-Andersson & L. Engwall (Eds.), The
Expansion of Management Knowledge: Carriers, Flows and Sources
(pp. 33–44). Stanford: Stanford University Press.
Mikes, A. (2009). Risk management and calculative cultures. Management
Accounting Research, 20(1), 18–40.
O’Malley, P. (2004). Risk, uncertainty and government. London: Glasshouse
Press.
Pentland, B. T. (1993). Getting comfortable with the numbers: Auditing
and the micro-production of macro-order. Accounting, Organizations
and Society, 18(7/8), 605–620.
Power, M. (2004). The risk management of everything. London: Demos.
Power, M. (2007). Organized uncertainty: Designing a world of risk
management. Oxford: Oxford University Press.
Robinson, D. (2007). Control theories in sociology. Annual Review of
Sociology, 33, 157–174.
Scott, J. (1998). Seeing like a state: How certain schemes to improve the
human condition have failed. New Haven, Ct.: Yale University Press.
Silbergeld, E. (1991). Risk assessment and risk management: An uneasy
divorce. In D. Mayo & D. Hollander (Eds.), Acceptable evidence: Science
and values in risk management (pp. 99–114). Oxford: Oxford
University Press.
Simons, R. (1999). How risky is your company? Harvard Business Review,
77(May–June), 85–94.
Stulz, R. (2009). Six ways companies mismanage risk. Harvard Business
Review, 86–94 [March].
Turner, B. (1976). The organizational and inter-organizational
development of disasters. Administrative Science Quarterly, 21(3),
378–397.
Turner, A. (2009). Forward by the chairman. Financial services authority
business plan 2009/10. London: Financial Services Authority.
Whitley, R. (1986). The transformation of business ?nance into ?nancial
economics: The roles of academic expansion and changes in US
capital markets. Accounting, Organizations and Society, 11, 171–192.
Wynne, B. (1996). May the sheep safely graze? A re?exive view of the
expert-lay knowledge divide. In S. Lash, B. Szerszynski, & B. Wynne
(Eds.). Risk, environment and modernity: Towards a new ecology
(pp. 44–83). Sage.
M. Power / Accounting, Organizations and Society 34 (2009) 849–855 855
doc_377551333.pdf