دستگاه خطر کلاه برداری

‘Fraud risk’ is ontologically different from fraud. Fraud itself is a disruptive event; fraud risk can and must be governed. This essay draws on Foucault’s concept of an apparatus (dispositif) to explain the emergence of this difference. The analysis begins with a concrete case and explicates the history of fraud risk which flows through a specific organizational setting. First, it is claimed that fraud risk must be understood in relation to the broader historicity of risk in which risk expands its reach as an organizing practice category. Second, it is argued that the diverse elements of the fraud risk apparatus – words, laws, best practice guides, risk maps, websites, compliance officers, text books, regulatory judgments and many more – have a trajectory of formation. This trajectory begins with auditing and expands into risk management, regulation and security more generally. Fraud risk management emerges as a highly articulated, transnational web of ideas and procedures which frame the future within present organizational actions, and which intensify the responsibility of senior managers. Overall, the paper challenges the common sense idea that the present shape of fraud risk management is a functional necessity demanded by fraud events. The purpose is to display the historically contingent regime of truth for speaking about fraud, risk and responsibility in organizations. The paper suggests that this ‘regime of truth’ consists in a form of managerial and regulatory knowledge with a ‘grammar’ governing rules for talking about and acting on risky subjects and organizations. The rise of ‘fraud risk’ management and its prominent position within the field of corporate governance in the 21st century is emblematic of an ongoing neoliberal project of individualization and responsibilization.

Fraud ‘risk’ and actual fraud are very different from one another. Indeed, they are ontologically different; one is a possibility and the other is an actuality. Instances of actual fraud have a long history and much legal and analytical attention has focused on the mind and character of the fraudster as a dangerous individual. In contrast ‘Fraud risk’ is a relatively recent category at the heart of a diverse network of elements – rules, ideas, roles, procedures, routines, texts – focused on risk, control systems and managerial responsibility. This paper argues that the contemporary prominence of fraud risk management is different in kind from the historical preoccupation of penal systems with retribution and blame; it is a distinctive risk framing of a future to be managed in the present. While an interest in fraud prevention techniques, such as segregation of duties, reaches back into the nineteenth century and beyond, it will be argued that such techniques had the insider fraudster in their sights in a very specific way. Only much later did this activity come to be part of something called ‘fraud risk management’. It is tempting to regard ‘fraud risk’ as somehow timeless and inherent in the nature of organizational life. Yet the converse argument will be proposed, namely that it is historically contingent on the formation of a socio-technical network of elements. Drawing on Michel Foucault, it will be argued below that this network can be understood as an apparatus (dispositif). Two broad historical developments drive the emergence of the apparatus of fraud risk. First, during the 1980s, financial auditing became self-consciously risk-based. One aspect of this development involved repeated efforts to shift responsibility for the prevention and detection of fraud from auditors to management and their systems of control. In many respects the publication of the first code of corporate governance in the early 1990s in the UK marked the completion of this process. Second, this exported responsibility for internal control connected with a wider explosion of interest in risk management from the mid-1990s onwards. Fraud became institutionalized as a distinctive responsibility- and risk-object for organizations. ‘Fraud risk’ became an organizing concept for an entire managerial and regulatory infrastructure. ‘Fraud’ itself is an elusive category and exists as a term within popular discourse. It may be understood generally as non-violent crime involving theft of assets directly or indirectly via a variety of means of deception, such as ‘false accounting’ (a criminal offence, Jones, 2011). Yet, although UK law has recently tried to be more precise about the various sources and means of committing fraud (Taylor, 2011, chapter 3), it has no statutory definition. Sometimes categorized as ‘white collar’ crime (e.g. Geis & Stotland, 1980), fraud is also a focus for a great deal of criminal law and criminological research (Levi, 1987) and has come to be subsumed within the more general notion of ‘financial crime’ encompassing moneylaundering. These different nuances and associations make fraud itself a slippery concept for analytical and legal purposes despite its long history. Specific fraud ‘cases’ continue to give it life and recent financial history provides no shortage of them, from Maxwell to Madoff; from Barings to UBS, and many more in between (Kindleberger, 2000, chapter 5; Clarke et al., 1997 and Punch, 1996). Each case has led to reflection, investigation and pressures for reform. A focus has invariably been on the apparently deviant individuals in question; the character of the dangerous fraudster continues to fascinate a celebrity-oriented public. Yet equally, there has been a growing understanding that organizations and their economic environments are often both the context and potential means for the enactment of fraud, providing not only opportunity but also motive (Ermann and Lundman, 1996 and Greve et al., 2010). The emergence of ‘fraud risk’ management reflects the growth of institutional attention to these organizational conditions of fraud. The arguments which follow address the historically contingent elements of fraud risk discourse as they emerged to shape the boundaries of thought, practice and responsibility attribution (Hopwood, 1987, pp. 230–231). Specifically, ‘fraud risk’ is positioned as an object in a wider system of rules for talking about, acting on and governing organizations in the name of risk. Rather than being a matter of common sense or functional necessity, the rise of ‘fraud risk’ management and its position in relation to corporate governance is emblematic of a distinctive liberal project of individualization and responsibilization (Rose & Miller, 1992). Yet, the main subjects of this process are not the fraudsters themselves but senior managerial actors, namely corporate directors as individuals and boards as their collective manifestation. How and why this new common sense of fraud risk management came about will be addressed in what follows. The argument begins from a specific organizational context in order to ground the methodological orientation of the paper and to display some of the micro-manifestations of the macro-level apparatus of fraud risk. The work of Foucault is a particularly attractive resource in this regard, enabling analysis across what some have called the micro/macro-split (Silverman, 1985, p. 88). This is followed by an account of the historical conditions of possibility of fraud risk in terms of a generalized expansion of risk framing, beginning with the calculative ‘insurantial imagination’ in the nineteenth century and culminating in the mid-1990s with an explosion of less calculative but even more expandable forms of risk management. This analysis of the historicity of risk provides the ‘archaeological’ moment of the argument (Hacking, 1986) by laying out the background conditions of possibility for the emergence of ‘fraud risk’ discourse, first within external auditing, then within internal control and risk management and finally as a feature of regulation supported by advisory services. Overall, it is argued that ‘Fraud risk’ is embedded in an extensive socio-technical apparatus (Hilgartner, 1992) involving regulators, consultants, compliance officers and many other actors, including material instruments such as fraud risk questionnaires and other diagnostic devices. The analysis goes on to suggest how security issues have also been re-coded within risk management frames, with a consequent securitization of fraud risk which continues to develop. At the heart of the apparatus of fraud risk is body of disciplinary knowledge in Foucault’s sense which is not science yet which mimics the orderliness of science. The final section of the paper explicates the structure of this disciplinary knowledge as a ‘grammar’ characterized by four problem–solution clusters or diagnostic tropes. These clusters, which are defined by their respective deviant subjects (employees, leaders, organizations and outsiders), have their own specific histories of emergence, but they are also contemporaneous and intermingled, thereby contributing to the density of the apparatus. The ambition of the analysis as a whole is to move from a specific micro-setting to an understanding of the system of thought which flows through it and which constitutes the practice of fraud risk management. While there is rich variation and agency to be observed at the case level (Lounsbury, 2008), this variation can also be understood as variety within a larger system of thinking or logic whose elements are made manifest in the analysis which follows. Indeed, even though there seem to be clear and obviously functional business interests in preventing costly fraud (FSA, 2006a), the analysis of the apparatus of fraud risk casts light on the deeper presumptions, assumptions and regularities which shape and channel the articulation of such interests.

The paper set out to show that fraud risk is ontologically different from the event of fraud. This difference is evident in the distinctive features of the apparatus of fraud risk which has emerged since the turn of the century. Fraud risk is not a timeless object of concern but a historically contingent ‘mode of financial governance’ ( Williams, 2005, p. 332). Fraud risk management is a particular and specific effect of the general rise of an expansive risk management process which encompasses more and more objects ( Power, 2007). This is not to say that fraud itself is entirely some kind of phantom of organizational or cultural construction. Far from it. We must be realists about unwanted financial loss and expropriation which cause pain and damage to people, either directly or indirectly. Yet, even such harms with widely agreed experiential characteristics nevertheless require construction as objects of regulation and management. They must be framed in a specific way in order to attract attention and financial and intellectual resources. From this point of view, while fraud events have been a concern for the legal system for many years, the recently increased responsibilization of organizations in relation to fraud risk can be understood as a shift in institutional and epistemic framing, from law and fraudsters to future framing in terms of risk, governance and systems. Fraud has been progressively classified and conceptualized as a risk in a variety of arenas, emerging from the world of auditing to be positioned as an element of security risk more generally. Fraud risk has been embedded in a dense apparatus or infrastructure, allocated to compliance and risk functions as a workstream, and has an increasingly standardized organizational path and location. It is easy to maintain that fraud risk management is really a matter of common sense and is a functional response to the increased incidence of internally and externally originating crimes against the organization. Yet the positioning of fraud as a risk object within the more general emergence of risk management discourses also reflects a distinctive mode of governing the enterprise, one which normalizes fraud as a cost of business. The criminal fraudster remains of popular and media interest but ‘fraud risk’ has shifted attention from dangerous individuals and their prosecution in law, and has become a category at the center of an intensified and intensifying focus on managerial and regulatory responsibilities for maintaining systems of control and risk management. Ideas of governance, concerns with organizational errors and mistakes, and with corporate ethics, are all intermingled elements of the risk-based neoliberal consensus which took shape in the 1990s and within which the historical conditions of possibility of fraud risk management are to be found. None of this implies anything about whether the apparatus of fraud risk is ’’efficient’ or ‘functional’. The argument is agnostic on that point. But it is reasonable to expect that the rationalized procedures for fraud risk management are often disappointed and organizations find themselves ‘constantly surprised’ by fraud. Forms of misconduct like fraud introduce disorder, challenge existing meanings and always overflow efforts to tame and allocate them to control practices. The expansion of the network of technical, juridical and social elements – the apparatus – of fraud risk management is more than a functional response to these events. Foucault allows us to see it as the creation of a normative regime of truth, a regime at the heart of which is the risk-responsibilized senior management of discrete entities. We take such matters for granted in a world where corporate governance norms seem almost universal, but in fact they are relatively recent. Risk management allows many different kinds of things to be thought of and acted upon in a similar way. The trajectory of fraud risk as a category of management attention has shifted from the classical figure of the internal perpetrator to the relatively recent specter of external attacks on organizations and cyber-crime. This corresponds to a shift in the dominant logic of risk management – from anticipation to resilience. Organizations are becoming responsible for internal arrangements which provide resilience to the external fraudster and it is now the hacker, rather than the cashier who never takes holidays, who must be excluded. Organizations which provide opportunities to those external parties who have motive are being made accountable for their weaknesses and may be penalized for being dangerous. The rise of security and technology issues in the accounting space is an interesting area for future research. In conclusion, it has been argued that fraud risk has become as much a mechanism for a system of organizational governance and discipline as it is for the prevention of harmful events. No doubt fraud risk is more salient for some organizations and businesses than others, by virtue of their scale, activities and general profile. The analysis does not preclude variety in the ways in which organizations like ABC process fraud risk despite being subject to the same ostensible regulatory demands. Rather, the argument points to the manner in which organizations have become more intensely governed in the name of fraud risk. Foucault was constantly criticized for neglecting interests and politics, and for failing to provide a theory of action and intention. Yet he repeatedly said that he was simply not interested in such matters, as important as they were to others. His project was to understand the historical conditions under which humans have the possibility to be actors of a certain kind and talked about and acted upon in a certain way. He did not intend to second guess specific actions at the individual or organizational level. This kind of analysis is inevitably imperfect and Foucault has his many critics (e.g., Davidson, 1986), not least for avoiding causal explanation. But his work has two important merits. First, it reminds us that taken-for-granted practices, such as fraud risk management, which can seem timeless are in fact historically contingent. Second, it supplements work by institutional scholars in understanding the linkages and pathways between the apparent micro-world of organizations such as ABC and the macro-discursive elements in which they are immersed. While Foucault is far from being the only thinker to push in this direction, the concept of the apparatus can be helpful in understanding the diverse external origins of internal organizational practices, such such as fraud risk management. Finally, it is necessary to return to where the argument began. During an internal discussion of the events described at ABC in 2010, the sales director was heard to use the concept of ‘risk appetite’ in relation to a statement about organizational misconduct. Such a statement in the 1990s would not have been impossible strictly speaking. But it would have been regarded as eccentric or even unintelligible. In 2010 it is an acceptable statement in a regime of truth, an apparatus of fraud risk management, which has emerged from an expanding risk discourse and which shapes what it is possible to say with credibility.