چشم انداز نظریه احتمالی درباره سیستم کنترل مدیریت ریسک در شورای شهر بیرمنگام

In recent years the topic of risk management has moved up the agenda of both government and industry, and private sector initiatives to improve risk and internal control systems have been mirrored by similar promptings for change in the public sector. Both regulators and practitioners now view risk management as an integral part of the process of corporate governance, and an aid to the achievement of strategic objectives. The paper uses case study material on the risk management control system at Birmingham City Council to extend existing theory by developing a contingency theory for the public sector. The case demonstrates that whilst the structure of the control system fits a generic model, the operational details indicate that controls are contingent upon three core variables—central government policies, information and communication technology and organisational size. All three contingent variables are suitable for testing the theory across the broader public sector arena.

In recent years the topic of risk management has steadily moved up the agenda of both government and industry, to a level where “it is more important than ever before” (Lam, 2006). This development has run parallel with the evolution of regulatory frameworks for corporate governance in response to a series of well-publicised corporate scandals and failures across the world (Collier and Agyei-Ampomah, 2005). Recent governance reforms, such as the Sarbanes-Oxley Act in the US, the Basel II Capital Accord and the revised Combined Code (2003) in the UK have sought to minimise the risk of future major corporate failures via tighter regulation of internal control systems. In the USA, the crisis of confidence in the capital markets that resulted from a series of control failures led to the SEC calling for companies to improve risk control and compliance systems in the belief that strong control systems would serve to strengthen investor confidence. National and international governance regulations reflect the view that corporate governance, internal control and risk management are inter-dependent. The boundaries between the concepts may appear rather blurred at times, and it is not always clear whether risk management is a sub-division of internal control or vice versa, but the dominant recurring theme is that risk management is an integral part of the process of corporate governance (McRae and Balthazor, 2000). In a private sector context, the primary responsibility for all three rests with the Board of Directors. Private sector initiatives to improve risk and internal control systems have been mirrored by similar promptings for change in the public sector, where risk management is also seen as an important dimension of good governance as well as a tool to aid the achievement of strategic objectives. Addressing members of a public sector governance and risk forum, the Australian Auditor General observed that: “as corporate governance receives increasing attention—I have heard it referred to as an ‘unrelenting tide’—it is becoming almost a given that effective risk management, as a corner stone of good corporate governance, results in better service delivery, more efficient use of resources, and better project management” ( Mc Phee, 2005). The Audit Commission in the UK also sees a direct link between risk management and service delivery in arguing that “an authority’s systems of internal control is part of its risk management process and has a key role to play in the management of significant risks to the fulfilment of its business objectives” ( Audit Commission, 2001, p. 7). The underlying arguments driving the development of formal risk management controls therefore appear to have strong similarities across both private and public sectors, but it is simplistic to assume that the resulting systems will be the same. Anecdotal evidence suggests that public sector risk management is distinct and different from private sector risk management, (Fone and Young, 2000 and Mc Phee, 2005), but there is a lack of academic literature that tests such views. This paper uses an exploratory case study of the risk management system within Birmingham City Council to develop a contingency framework for the public sector. The decision to use contingency theory to explain the case study findings was stimulated by the fact that it recognises the influence of organisational context upon choice of control system (Chenhall, 2003), and the public and private sectors are arguably different contexts. Additionally, the paper responds to Chenhall’s (2003) recognition of a need for more contingency based research in not for profit organisations. The contingency approach to management accounting control emerged out of earlier research in the area of organisation theory (see for example the work of Bums and Stalker, 1961, Woodward, 1965, Lawrence and Lorsch, 1967 and Pugh and Payne, 1977.) Organisational theorists suggested that the structure and activity of complex organisations was subject to the influence of a number of contextual variables (Waterhouse and Tiessen, 1978) such as technology and environment. The transfer of this “ready-made theory” (Otley, 1980) to management accounting led to the key contingent influences on management control systems being categorised under the headings of environment, technology, structure and size. Langfield-Smith (1997) provides a useful summary of contingency research, and in common with Otley (1999) and Chenhall (2003) she also notes the emergence of a literature on the role of strategy as a contingent variable. This paper contributes to both the empirical and theoretical literature within management accounting. Empirically the choice of the risk management system as the focus of the study provides a novel context for the analysis of an emerging issue and shifts the emphasis away from the “narrow financially biased perspective” that “dominates much of the control literature” (Otley et al., 1995). It simultaneously addresses the paucity of studies of control systems in operation (Otley, 1999). In terms of theory, the paper develops both accounting and organisational theory by reformulating contingency theory, using a new set of variables that are specifically suited to the public sector context. The next section explains the background to the case study via a summary of the evolution of thinking and practice in public sector risk management. This is followed by a brief explanation of the research method, and the case study site. The fourth section details the basic structure of the risk management system in Birmingham City Council, which provides a background for consideration of the specific factors influencing the way the system operates in practice. Information collected for the case is then used to demonstrate that three core variables – central government policies, information and communication technology and organisational size—influence the practical application of the control system. With the exception of organisational size, these variables are new to contingency theory and they provide a framework for a public sector contingency theory that is new to the literature. We conclude that risk control systems within Birmingham City Council are contingent upon the identified variables but that further research is required to test their applicability to other management control systems across a broad range of public sector organisations.

The case study presented above confirms the existing literature ( Collier et al., 2006 ) which argues that the basic structures of risk management are common across large organisations.Atthesametime,however,theresearchfind- ings also challenge this literature by indicating that at the detailed operational level the risk control system is con- tingent upon three variables, namely central government policy, information and communication technology and organisational size. The evidence in support of this contingency framework was presented in the previous section, and the relevant variables, together with examples of their respective influ- ence, are summarised in Table 1 . Table 1 categorises the three contingent variables as Level 1 or Level 2. Central government policy is classed as the most powerful (Level 1) contingent variable because it impacts on risk management in several concurrent ways. Both information and communication technology and sizeare Level 2 variables in recognition of the dominant influ- ence of central government policy. The case study shows that central government pol- icy acts as the overarching Level 1 contingent variable for two main reasons. Firstly, government policy drives many of the strategic objectives of local government, and performanceagainstobjectivesisthefocusoftheriskman- agementsystem.Secondly,centralgovernmentdetermines the resources available at local level and therefore also implicitly influences the scope to invest in control systems. In terms of day-to-day practice, there are three ways in which government policy directly influences the design and operation of the risk management control system. These are shown as examples in the relevant section of Table 1 . Firstly, the performance appraisal system of CPA drives the council’s behaviour in prioritizing the alloca- tion of resources to meet the necessary targets, and this in turn affects both risk and internal audit. Secondly, the government policy of promoting knowledge sharing has resultedinBirminghamsharinginformationbothasagiverand as a recipient on best practice in risk management, and refining their control system as a result of learning from the information sharing. Furthermore, the transi- tion from CPA to CAA with its associated requirements for partnership working has direct implications for risk man- agement within the authority, and the resources required for training in this area. Lastly, central government pol- icy restricts strategic freedom by defining both the scope of service provision and also establishing minimal stan- dards of service, with a consequential impact upon risk controls. Table 1 depicts ICT as a level 2 contingent vari- able which impacts upon risk management both directly and indirectly. ICT directly influences risk management because the specialist software is integral to the risk control process. Magique is used for real time updat- ing of risk registers, on line training, the maintenance of an events log and cross directorate sharing of risk information. In addition, ICT also acts as an indirect con- tingent variable because it provides the mechanism for the collection and collation of both performance and risk related information. As a result, inadequacies or limita- tions in ICT provision can serve to undermine access to risk information and the effective operation of the control system. The final Level 2 contingent variable listed in Table 1 is organisational size. The large scale of Birmingham City Council’s operations is shown to have resulted in for- malisation of the risk management system. Formality is characterised by a tendency towards heavily documented control systems, and the use of high numbers of specialists using sophisticated technologies ( Merchant, 1981; Bruns and Waterhouse, 1975 ). The case study examples cited in Table 1 confirm the presence of both of these features within the case study site. The exploratory research described in this paper there- fore develops existing contingency theory by establishing a new set of contingency variables for the public sector. The resulting theoretical propositions and empirical find- ings offer significant scope for further research assessing theextenttowhichthetheoryisgenerallyapplicableacross the public sector. Such research could test for the presence of the contingency variables across both a wider range of public sector institutions and also a number of different control systems. Additionally, there is scope for research to test the strength of influence of central government pol- icy over control systems. The case suggests that it is the most powerful of the contingent variables, but it is possi- ble that its influence is dependent upon the context. That is, in the NHS, police or fire service, for example, this vari- able may lack the dominance that it exhibits within local government. The study also highlights the way in which different styles of research can reveal very different stories. Using a surveybasedapproach,asper Collieretal.(2006) ,provides the researcher with a generic picture of the control system, but case study research can be used to “fill the gaps” and enrichthefindings.Surveybasedresearchisextremelyuse- fulforidentifyingbroadtrendsinpracticeandtheexistence ofspecificfeaturesofcontrolsystemsacrossalargenumber oforganisations.Atthesametime,however,itsverynaturemeans that it precludes deeper investigation of the issues at an institutional level. The study reported above clearly demonstrates that in depth interviews, and extended time spent within an organisation help to reveal not just the structure and mechanics of a control system, but also how it functions on a day-to-day basis. This is very important because the effectiveness of a control system depends not just upon its overall design but also the way in which the controls are implemented. In other words, there is a benefit to utilising a range of different research methodologies to investigate a common issue because surveys and case studies are complementary to one another in terms of the insights that they poten- tially yield. The scope to apply this multiple methodology approach means that it is certain that there is still a lot of research to be done on risk management systems and the interface between risk management, internal control and governance.