مدیریت ریسک و فرهنگ حسابگرانه

Enterprise risk management (ERM) has recently emerged as a widespread practice in financial institutions. It has been increasingly codified and encrypted into regulatory, corporate governance and organizational management blueprints. A burgeoning literature of regulatory and practitioner texts is indicative of the apparent diversity of ambitions, objectives and techniques that constitute the ERM agenda. Making sense of these developments is a challenge. This paper presents field-based evidence from two large banking organizations suggesting that systematic variations in ERM practices exist in the financial services industry. The cases illustrate four risk management ideal types and show how they form the ‘risk management mix’ in a given organization. Further, drawing on the literature of the roles and uses of management control systems (MCS), the paper explores how ERM achieved organizational significance in the studied settings. The findings are indicative of the current co-existence of alternative models of ERM. In particular, two types of ERM models are postulated: one driven by a strong shareholder value imperative (ERM by the numbers), the other corresponding to the demands of the risk-based internal control imperative (holistic ERM). This paper explains the differences in the two risk management mixes pointing towards alternative logics of calculation [Power, M.K., 2007. Organized Uncertainty—Designing a World of Risk Management. Oxford University Press, Oxford], which I conceptualise and describe as different calculative cultures. The study suggests that calculative cultures, which in these cases shaped managerial predilections towards ERM practices, are relevant, albeit so far neglected, constituents of the fit between MCS and organizational contexts.

‘One of the things we have been struggling with over the last couple of years is how best to integrate meaningful high-level risk information into the strategic planning process. … The reason why the risk management function is called ‘Strategic’ is that the purpose should really be top-level coverage.’ (Chief Risk Officer, Strategic Risk Management, Gotebank). ‘Most of the people doing strategy [and planning] don’t understand risk. Most of the risk people don’t understand strategy. …People who do strategy [and planning] know they have to work out economic profit and they know they have to work out how much risk is involved, but they are not very interested in it. They are more interested in income and what is going to happen to the market place. They don’t want to get involved with risk all the time. The risk people spend all this time on calculating how much risk they have got and they don’t look at the bigger picture. Getting both sides to talk to each other is the hard part.’ (Assistant Director, Group Strategy and Planning, Fraser Bank). Making risk management strategic is a common pledge vowed by a string of chief executives who are currently taking the helm at troubled banking enterprises, weighed under the highest losses reported in recent credit history. The importance of making risk management ‘count’ in high-level strategic decisions is perhaps the most agreed upon lesson that industry actors are taking from the current credit crisis. As the Wall Street Journal commented on 15 November 2007: ‘After an era of go–go growth that led firms into profitable but chancy areas like mortgage securities, the industry is moving toward the kind of leader who gets down into the nitty-gritty of risk management.’ Indeed, the rise of risk management in recent years has drawn attention from several commentators who have been marvelling at the increasing spread and codification of risk practices under the term enterprise risk management (ERM). Michael Power noted the ‘explosion’ of risk management practices as a social phenomenon: ‘the risk management of everything’ (Power, 2004). He proposed that ERM might have emerged as a ‘world model’: ‘If we were to imagine the creation of a new banking organization, we know that it could not be founded without rapidly adopting the mission and principles of ERM.’ (Power, 2003a: 10). International bank capital regulation and corporate governance are two areas where the prominence of ERM was particularly ubiquitous. The Basel Committee, leading the reform of banking supervision, endorsed enterprise risk management as an umbrella notion that can accommodate the techniques required for bank capital adequacy calculation: ‘…integrated firm-wide approaches to risk management should continue to be strongly encouraged by the regulatory and supervisory community.’ (BIS, 2003b: 2). Many banks have adopted the mission and principles of ERM (PricewaterhouseCoopers, 2005, PricewaterhouseCoopers, 2007 and Deloitte, 2007). Yet we know little of how enterprise risk management works in action. Several questions are unanswered. What do risk managers do and what functional and structural arrangements organize their activities? What degree of organizational significance do risk managers have? How are risk control systems used by decision makers? Similar questions are being asked in the wake of the current crisis of confidence in the risk management capabilities of banks implicated in the credit debacle (Treasury Committee, 2007a and Treasury Committee, 2007b). As regulators and policymakers search for the answer in the spotlight of media and public scrutiny, this paper looks behind the scenes of risk management to its actual organizational settings, to examine the organizational processes through which the ‘risk voice’ is made influential, or not, as the case may be. Risk techniques were developed by financial institutions to address the issue of capital adequacy (how much capital cushion should a bank hold?) and the internal allocation of capital to business units (how much capital should individual business units carry?). The amount of capital reserved by banks is a key regulatory and managerial concern in the financial services industry. Risk techniques determine adequate capital requirements in proportion to the amount of risk taken, suggesting that banks should reserve more capital for higher risk-businesses and carry less capital for less risky ventures. Not derived from accounting principles, but from ‘economic calculations’ of risk, the risk-based capital amounts rarely coincide with the traditional accounting capital figures that banks carry in their books. The risk-based capital calculations are advocated by a new controller group, risk managers, as internal representations of risk profiles, complementary to accounting capital. Risk capital calculations may or may not get acted upon and put into action to determine actual capital allocations in the course of the planning process. In case they do, they add a new facet to accountability. Risk-based capital allocations open the possibility for capturing the so-called risk-adjusted returns that individual business units (or a group of business units) earn. Their technical novelty is that the accounting capital amounts used in the performance metrics are replaced by the risk capital allocations: thus, risk-adjusted return represents a departure from, and a complementary performance measure to, traditional accounting metrics. Given that the suggested applications of ERM in financial institutions belong to the realm of financial decision making and management control, it is somewhat puzzling that accounting researchers have so far given little attention to the subject. All the same, the literature of management control systems can help us make sense of enterprise risk management. In return, the existing body of work on management controls should be enriched by exploring ERM as another facet of organizational control and accountability. The common area of interest is the roles and organizational significance of calculative practices. Twenty years ago accounting was viewed mostly as a technical subject and little was known of ‘the organizational processes … through which the technical achieves its potential’ (Hopwood, 1983: 291). Recognising this, a number of important manifestos called for an organizational, rather than a singularly technical approach to accounting research (Burchell et al., 1980 and Hopwood, 1983). Subsequent studies illuminated the roles that calculative practices play and the intended and unintended consequences they have. These studies can be called upon in the course of exploring and scrutinising the roles and organizational significance of risk management. The objective of this paper is twofold: First, it conceptualises and synthesizes the diverse practices described by the normative literature on ERM. Second, based on notions developed in the management control literature of how calculative practices achieve organizational significance, and extensive field evidence, the paper explores the forms and uses of ERM and the roles that risk managers have come to play in actual organizational settings. This paper presents evidence from a field study undertaken in two large banking organizations. The focus on banks has a caveat emptor: risk management here (supposedly) addresses the question of bank capital adequacy, which is a regulatory requirement not faced by non-financial institutions. As the observed risk managers, however, will be shown to have wider objectives, and try to become involved in strategic planning, performance management and control, the study has implications for all risk managers who cast their nets wide and cultivate strategic control ambitions. These cases may have implications for not only banking specialists, but also for the theory and practice of enterprise risk management in general, as a corporate governance and management control discipline. A significant challenge for new control systems rising to organizational significance is the need to establish their own voice and language in order to provide organizational debates with their representation of economic motive and possibilities for action (Hopwood, 1987, Roberts, 1990, Dent, 1991 and Scapens and Roberts, 1993). In these studies accounting is shown to command organizational significance through the force of its ‘language’, which enables users to shape organizational agendas, direct scarce top managerial attention and mobilize action. The studies also highlight that different control systems are being furthered by different occupational and functional groups, who compete for ‘dominance’ over other control groups in influencing decision making at various organizational forums. In these struggles, the language of control becomes significant and, possibly, a source of power. As Dutton (1997) notes, ‘in an organizational context, intentional and unintentional usage of language to frame an issue mobilizes different groups of managers to invest in the issue. These framings, in turn, reflect different understandings of an issue and result in different patterns of attention allocation.’ (Dutton, 1997: 90.) Perhaps nowhere is the ‘usage of language’ as prevalent as in current developments in the risk management discipline. The spectrum of techniques ranges from statistical loss estimating tools, shrouded in analytical mystique to more descriptive, judgmental ‘mappings’ of risks into probability-impact matrices. Given that risk management in financial services firms is advocated in both forms (as a highly analytical loss-prediction tool as well as a ‘strategic’ risk mapping tool) its take-up rate and uses must, to a great extent, depend on top management's appetite for, or resistance to, highly analytical (or highly judgemental) information systems. Consequently, while a risk modelling technique might be successfully adopted in a highly analytics-friendly management culture, it might fail to resonate with one that takes a more cautious, incredulous approach to the benefits of quantitative modelling. Accordingly, this paper emphasises the role of alternative logics of calculation (Power, 2007), which I conceptualise and describe as different calculative cultures. I suggest that calculative cultures shape managerial predilections towards ERM practices, and serve as important constituents of the fit between risk control systems and organizational contexts. The first organization studied (henceforth referred to as Gotebank) possessed an ERM function that corresponded to a highly sceptical top managerial attitude to risk quantification (ERM adherents as quantitative sceptics). Here the computational role of risk techniques was underplayed, and emphasis fell on their use as a learning tool. Senior risk officers acquired power to set board-level agendas and assumed a role in high-level strategic decision making. Their ambition was to restrain excessive risk-taking resulting from expansionist business strategies. The remit of ERM included ‘strategic’ and ‘operational’ issues that were not necessarily quantifiable, but were perceived as threats to key strategic objectives. The second organization studied (henceforth Fraser Bank) was driven by a strong enthusiasm for risk quantification (ERM adherents as quantitative enthusiasts). A consensus agreement was built around the ability of risk numbers to reflect the underlying risk profiles. This case evidences risk management not only as a tool of computation, but also as ammunition to diverse organizational actors who mobilized risk numbers in the process of negotiating intra-group capital allocations. Thereby risk managers became involved in the strategic planning and performance measurement process. However, risk people were excluded from the discussion of non-quantifiable strategic and operational issues and were denied influence on discretionary strategic decisions.

In the financial services sector ERM is thought to embody a set of risk practices that encompass such wide- ranging techniques as value-at-risk and economic capital models, as well as qualitative methods for non-financial risks. Practitioner predictions suggest that taken together, these risk management approaches increasingly constitute ‘best practice’ that more and more organizations aspire to implement (e.g. Lam, 1999; Gilbert, 2004 ). This paper argued that innovations in ERM tech- niques increasingly cluster around four themes: risk quantification, risk aggregation, risk-based performance measurement and the management of non-quantifiable risks. Each of these themes represents different ambi- tions and objectives that risk officers might pursue, giving rise to four risk management ideal types. These all have enterprise-wideambitions,andcanbeviewedasthebuild- ing blocks that constitute the risk management mix in a given organization: risk silo management, integrated riskmanagement,risk-basedmanagementandholisticrisk management. Takingafieldperspective,thepaperproceededtoinves- tigate the risk practices of two banks. Each bank appeared topossessariskmanagementmixthatwasspecifictoitselfHowever, the underlying currents that are associated with these patterns may be instructive in other cases too. The shareholder value imperative appears to drive a particular model of ERM characterized by a risk manage- ment mix in which risk-based management is a salient element ( ERM by the numbers ). This ERM model is contin- gent on a vision of uniting and controlling risk and return objectives in a common framework. This model presumes a great deal of ‘quantitative enthusiasm’, as it requires the quantification of both the risk silos and the risk capital need of business entities. Hence risk management’s remit is defined in terms of the quantifiable risks, and its concern with non-financial risks extends beyond the risk silos only as far as risk quantification is possible. The strategic signif- icance of this risk management model is derived from its close integration with strategic planning and performance management, but as a control function, it is fundamentally diagnostic . On the other hand, the risk-based control imperative can be associated with a different model of risk manage- ment: one with a risk management mix in which holistic risk management is prominent ( holistic ERM ). Taking a great deal of ‘quantitative scepticism’, risk officers quantify risks, but exercise control in a flexible manner, allowing the renegotiations of risk limits, when the interest of the business requires so. This approach requires risk officers to possess considerable knowledge of the businesses whose risk-taking they monitor. Senior risk officers are keen to acquire business insight in order to voice their opinion on risk issues that are beyond the quantifiable risk frame- work. They derive strategic significance from influencing high-level strategic decision making by responding to the particular concerns of top management at any given time. Inthismodel,holisticriskmanagementisused interactively (bytopmanagement),intheformalcontextoftheriskman- agement committee where the senior risk officers set the agenda and provide information for it. The field perspective and the conceptual unbundling of ERM suggest that risk practices and risk management ideal types constitute an assembly. Similarly, distinct con- ceptual clusters have emerged in the activity management assembly ( Gosselin, 1997 ) and in the evolution of the bal- anced scorecard ( Speckbacher et al., 2003 ). The proposed co-existence of four ideal types of risk management is con- ceptually similar to the existence of three levels of activity management and the distinction between three types of balanced scorecard. Latervariantswithinthesameassemblyseemtoassume astrategicrole.Theeventualaspirationtolinkinitiallycon- fined, highly specialized or technical practices to strategy is a phenomenon that appears to characterize the develop- ment of not only ERM, but other management innovations too (c.f. activity-based costing and management, ‘Type III’ balanced scorecard, strategic management accounting). The clustering of techniques within the same assembly is not merely conceptual, it takes place in actual orga- nizational settings. In practice it appears that assemblies of management control innovations offer practitioners opportunities for selective implementation, revision and switching between the different sub-groups of techniques within the same assembly ( Gosselin, 1997 ). It is remarkable that given the empirical evidence, few ABC and BSC implementations are strategic. In contrast, the ERM mixes (inthecaseofGotebankandFraserBank)didpossessstrate- gic significance, albeit of dissimilar nature. Gotebank’s holistic risk management capability appeared as a sepa- rate development from its risk measurement practices. On the contrary, Fraser’s risk-based management was strongly dependentonitsrisksilomeasurementandintegratedrisk management capabilities. This study suggests that in order to realise the strategic potential of assemblies, advocates need to demonstrate not only technical competence, but also an ability to align their assembly of control practices with top management’s predilections towards the use of different technologies. In particular, aligning the risk man- agement mix with the predominant calculative culture of intended users played out differently in the studied set- tings, but in both cases required a great deal of political aptness on the part of risk controllers. Accordingly, the organizational significance of management control prac- tices hinges, in part, on the leadership and political skills of the management control practitioner. As a reflection on the corporate governance context of risk management, it appears that the spectrum of risk practices suggested by COSO (2004) , falls into two clus- ters. On one hand, ERM by the numbers responds to the suggestion of ‘applying risk management in strategy set- ting’ (i.e. integration with planning and control) and using it ‘to manage risks to be within [the firm’s] risk appetite’ (i.e. control by exception). On the other hand holistic ERM corresponds more directly to the design requirement that risk management should be applied ‘to identify poten- tial events that may affect the entity’ and bring those to high-level discretionary decision making. What corporate governance advocates need to consider in the future, is that these two clusters of requirements might well be con- tingent on (or give rise to) different calculative cultures. HenceERMadherentsmightstruggletoadoptalltheCOSO- recommended risk practices within a single firm– ERM by the numbers could thrive where holistic ERM is frustrated, and vice versa. The distinction between the two clusters can be useful ingeneratingfurtherempiricalresearchagendas.Foursuch questions are outlined. The first agenda would aim to verify if the distinc- tions between the types of calculative cultures and the two diverging risk models are valid more generally. A survey of a larger sample of financial institutions could be used to explore the risk management mix in different organi- zations, the patterns they take and the driving factors of the emerging clusters. Surveys, interpreting the responses of managers to questionnaires on their risk management philosophies and attitudes to risk modelling would also further scrutinise the concept of calculative cultures. The notion of calculative cultures might be applicable in other contextual analyses of management control system (MCS) adoptions. Reflecting on the case studies and on Bhimani (2003) , I suggest that a given calculative culture shapes managerial predilections (or resistance) towards new MCS, serving as an important determinant, as well as result, of the fit between MCS and organizational contexts. It is likely that other variables that were not so salient in thepresentstudywillsurfacemorepowerfullyinalargersam- ple study; Table 2 was merely suggestive of the presence of other contingencies, namely strategic pattern, size and age. Another research question would seek to investigate if a special case of risk management would still comply withthedistinctionbetweenthequantitativeandtheholis- tic models. Specifically, the treatment of operational risk in the risk management models could be further explored. Operational risk is a particular risk issue that poses differ- ent challenges to the postulated risk management models. Given the current Basel II framework, under the definition of operational risk one finds both quantifiable and non- quantifiable risks. Financial institutions need to apply a rather loose regulatory definition to devise a set of oper- ational risks that are relevant to them. With the amount of flexibility offered in Basel II, it is likely that organiza- tions will cherry-pick issues for inclusion into the remit of the operational risk controller. Based on the distinction between the two risk management models (quantitative and holistic), one would expect that with time the man- agement of operational risk will take different routes, depending on which ERM model it conforms to. Thirdly, further research into the dynamics of risk man- agement is warranted. Longitudinal studies are necessary to confirm the validity of the drivers that are associated with different risk management styles. They would also help to explore if the choice of interactively (or diagnosti- cally) used risk controls is motivated by top management’s assessmentsofthekeystrategicuncertaintiesoftheirorga- nizations. Further, the signaling effect of internal control systems (as postulated in Simons, 1990, 1991 ) could be explored in the ERM context too. We need to trace the response of organizational participants to the interactive use of particular risk controls. Would the process result in the emergence of new strategic initiatives? Studying the dynamics of risk management, the researcher would need to consider the interactions between risk and other man- agementcontrols.Inparticular,thisstudysuggeststhatthe interface between accounting and risk controls is riddled withpossibilitiesandtensions.Thusstudyingriskmanage- ment will help us further explore strategic planning and performance management in organizations. Finally, it is unclear to what extent the two models of ERMaremutuallyexclusive.Dotheyrepresentadivergence in the risk management world, or are they different stages in the evolution of risk management? Given the seeds of value-based management already sown in Gotebank, it is possible that another management team or a turn in the institutional pressures may bring a paradigm change in the future. Equally, should the VBM project fail to deliver the expectations attached to it, the quantitative model of riskmanagementmaygetdiscreditedinFrasers.Thiscould resultinyetanotheroverhauloftheriskmanagementfunc- tion and a redefinition of its role. Talking of such shifts is highly speculative, even though it is likely that any partic- ular risk management mix or model would be a dynamic phenomenon and subject to change. However, from a con- tingency perspective, one would argue that the incidents that shape the patterns in the development of risk man- agementpracticesaresystemic,ratherthanerratic,andcantherefore be explained by careful studies of the underlying currents. As risk management is a rather nascent management control practice, it is not yet clear how it will ultimately benefit organizations that adopt it. The Basel regulators have built the international bank regulatory regime on thepremiseofcontinuingriskmanagementdevelopments. On the evidence of the cases presented here, senior risk officers exercise a considerable amount of discretion in determiningtheirfunctions’remit,subjecttoaccommodat- ing relevant stakeholder concerns. Academic researchers can usefully contribute to the debate on the regulatory, corporate governance, management control and account- ability issues that are emerging in the wake of enterprise risk management.