پویایی های سازمانی از مدیریت ریسک شرکت

This paper explores the organizational dynamics of Enterprise Risk Management (ERM). ERM is the main form taken by firms’ increasing efforts to organize uncertainty, which ‘exploded’ in the 1990s. The ERM approach seeks to link risk management with business strategy and objective-setting, entering the domains of control, accountability and decision making. In this work, the organizational variations of ERM are investigated through a longitudinal multiple case study, using data from three companies collected over a 7-year period (from 2002 to 2008). The findings contribute to our understanding of ERM as a practice, revealing its trajectory within the organizations as it encounters pre-existing logics, and as both are shaped by risk rationalities, experts and technologies.

“We now propose to introduce Enterprise Risk Management (ERM) analysis into the corporate credit ratings process globally as a forward-looking, structured framework to evaluate management as a principal component in determining the overall business profile. […] ERM provides management with information to optimize earnings – and ultimately the firm’s value – while staying in a well-defined risk tolerance. […] ERM also provides a new and clearer language for transferring information about management’s intentions and capabilities, which are critical to credit evaluation” (Standard and Poor’s, 2007). Interest in Enterprise Risk Management (ERM) has grown rapidly during the past 15 years, with regulators, professional associations and even rating firms calling for its adoption. In response to this demand, more and more companies are today embracing ERM, yet its implementation remains poorly integrated, with disparate practices grouped under the same label (Mikes, 2005, Mikes, 2009 and Power, 2007). ERM can be viewed as the culmination of the risk management explosion that started in the 1990s, and is touted as a holistic approach for assessing and evaluating the risks that an organization faces. ERM is most frequently defined with reference to the 2004 Guidance document published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which states: “Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of the entity’s objectives” (COSO, 2004). The COSO guidance depicts ERM in managerial and prospective light (Burton, 2008), normatively defining specific elements for its implementation, and advocating that it should benefit decision making and management control. Despite the rational approach proposed, the transition of risk management from a narrow, technical focus (Aseeri and Bagajewicz, 2004, Jaafari, 2001, Kalu, 1999 and Verbeeten, 2006) to the strategic sphere has turned ERM into a fluid and poorly defined instrument. ERM can be different things in different organizations, or even within the same organization at different times. Mikes, 2005 and Mikes, 2009 and Power, 2007 and Power, 2009 highlight this fluidity, pointing out how ERM can vary in its calculative practices, cultural significance, and level of embeddedness. Power (2009), in particular, notes the danger of ERM lapsing into ‘rule-based compliance’, and failing to become embedded in managers’ decision-making and business processes. This eventuality was already borne out by a 2004 PricewaterhouseCoopers survey, in which CEOs said they viewed ERM as an external accountability device that does not impact on managers’ decisions and operations (PricewaterhouseCoopers, 2004). ERM embeddedness has been further emphasized in the wake of the recent financial crisis (McGinn, 2009, O’Donnell, 2009 and Price, 2008), calling for “real ERM” (Zolkos, 2008, p. 6). It has been argued that, for ERM to be effective, companies must “look beyond technology to establish a culture of risk management throughout the organization” (Bruno-Britz, 2009, p. 20), and that ERM must permeate existing practices and the individual behavior of managers in everyday decisions (Standard & Poor, 2008). Despite these recommendations, there are as yet few critical contributions exploring how ERM works in practice, and even fewer addressing how its organizational assembling evolves and contributes to a risk management style (Gephart et al., 2009 and Power, 2009). The present work contributes to filling this gap in our knowledge of the nature of ERM and its organizational coupling, by exploring how it is translated and alters the behavior and mindset of the actors who, in different capacities, participate in managing uncertainty.3 These dynamics are examined in detail as a situated practice (Chua, 2007), looking at three companies that have implemented ERM approaches. The field work was conducted over a period of 7 years, from 2002 and 2008, using a case study approach. A total of 41 face-to-face interviews were carried out, with 23 informants. Drawing on Miller and Rose (1992), we adopted an institutional perspective (Greenwood et al., 2008 and Lounsbury, 2008) to analyze the ERM dynamics, which was framed around three elements: risk rationalities, uncertainty experts, and technologies. Risk rationalities denotes the discursive and visual domains that frame how uncertainty is conceptualized into risks, eliciting to varying extents apprehension about the unknown and its impact, and an urgency for control. The second element is that of the corporate roles involved in controlling uncertainty, which include not only the ERM orchestrators, usually given the title of Chief Risk Officer (CRO), but also risk specialists, internal auditors and management accountants, who also increasingly aspire to a greater role in risk management (Fraser and Henry, 2007 and Institute of Management Accountants, 2006). Entwined with these rationalities and experts is the third element of analysis – namely technologies – which denotes the complex sets of practices, procedures and instruments enacted to accomplish the management and control of risks. Although the three case studies described in this paper are not intended to be generalizable, the results do highlight some fundamental aspects of ERM, and its differing organizational trajectories, that may also be relevant to other settings. The observed dynamics reveal a continually evolving mutual interaction between ERM and other pre-existing risk management practices, including elements of management accounting. This fluidity is shaped by the organizational setting, by wider control issues, but also by the roles involved. CROs, management accountants, internal auditors, and risk specialists become translators (Latour, 1987) of the different practices. Through their embedded action, they translate the company’s’ programmatic ambitions, sometimes seizing opportunities to gain additional power, sometimes struggling to secure organizational recognition, and sometimes paying scant attention to practices perceived as mere formal compliance tasks. Our analysis is developed in the remainder of this paper, which is organized as follows: “The origins of Enterprise-wide Risk Management”, below, describes the origins of ERM, its ambitious and universal message, and the challenge of embedding it within organizations; “ERM organizational dynamics: framing the analysis” then introduces the theoretical framework adopted to cast light on the dynamics of ERM translation; the empirical case studies are illustrated in “The research approach”; and the final sections contain a presentation and discussion of the results, followed by some conclusions.

Enterprise-wide Risk Management (ERM) belongs to a new wave of self-regulating approaches that started to appear during the 1990s. Although ERM emerged in the domain of internal controls, it aims to be a managerial philosophy that “provide[s] reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). This paper has explored this managerial ambition, investigating the nature of ERM and the heterogeneity of its organizational dynamics. The cases were analyzed through a theoretical lens drawn from Miller and Rose (1992), which we framed around three sensitizing concepts: rationalities, experts and technologies. Drawing also from practice-theory, these three elements were rendered specific to risk management, building a reference framework for representing the cases and constructing more explanatory offerings. This was made possible by “zooming in” and “zooming out” of practice (Nicolini, 2009), using the concepts to represent the practice and then tracing circular and contingent causalities (Morin, 1999). Through this interrogation of practice, we responded to the call for more organizational studies of risk management (Gephart et al., 2009 and Power, 2009), but also to the call for a more holistic approach to practice analysis, that pays attention to broader cultural paradigms (Lounsbury, 2008). With specific reference to the contribution to risk management as an organizational practice, the cases presented show that, in its managerial guise, ERM introduces a new scientific rationality (Beck, 1992), marking a potential rupture in the company’s risk history and sensitivity, but its organizational translations diverge as they encounter pre-existing centers of control and practices. This heterogeneity is explained at the highest level by differing risk rationalities and their potential to challenge the conceptualization of uncertainty. A shift in the decisional mindset and context is shown to be dependent on whether risks are represented as ‘real’ problems for managers, instilling urgency in the form of a new moral vocabulary, and by visualizing impacts in a manner close to their actions and responsibilities. However it is through the experts’ embedded actions and their mutual entanglement that the translations are revealed. Constrained by the organizational space found within control frameworks and decisional centers, the heterogeneity of practice is then reduced or enlarged by the approaches adopted by the experts. Greater social interactions emerged as crucial for transferring cultural values, problematizing ERM and insinuating apprehension in managers. Though we do not claim that higher interactivity leads to better forecasting, it does move ERM from being a black box of risks and solutions, to a process of confrontation potentially able to prepare managers for a Black Swan (Taleb, 2007). ERM is then rendered a managerial problem only if the rationalities are reflected in operable technologies. Qualitative risk maps are perceived as being of little use and far removed from managers’ decisions, contributing to a positioning of ERM as a governance device. In the case where this was overcome, and risks linked to performance, a new style of ERM-budgeting (Hopwood, 1978) emerged. This in itself raises several questions about budgeting-related issues, such as the change in the negotiation, information asymmetry, creation of reserves and, last but not least, the ‘risk’ of pushing individual appetite and opportunism even further (Power, 2009). The investigation of the partnership between ERM and performance management is not, however, the only avenue of research opened up by the present work. Our findings provide explanations, although contingent, of ERM organizational dynamics, which deserve further study. Firstly, the centrality of companies’ business histories suggests the need to better understand how dramatic rare (Lampel, Shamsie, & Shapira, 2009) events affect the conceptualization of uncertainty and, in consequence, managers’ sense of morality and behavior. Certain recent financial and operational failures would provide fertile ground for this kind of research. Secondly, this work raises questions concerning the generalizability of its results, and the extent to which ERM dynamics depend on sector specificities (e.g. high reliability organizations) and the characteristics of individual companies. Another avenue for further development pertains to the important role of social interaction (Miller, 2009) in the pervasive performance style of ERM. This finding suggests a need to better investigate the social network structures and their relationship with risk sensitivity propagation, but also raises questions about the competencies and capabilities that CROs, seen as network brokers (Kadushin, 2002), should have. More generally, our findings also respond to the call for a theoretically and institutionally grounded study of practices (Lounsbury, 2008 and Nicolini, 2009). Following the actors in action (Latour, 1987) and tracing their interconnections, we build upon the Miller and Rose approach (1992), progressing from the identification of key elements to the explanation of organizational dynamics, albeit related to a particular time and place. Risk rationality emerges as the global, background, conceptual element; it is institutionally embedded by mediators, who act as both localizers and globalizers (Nicolini, 2009). They are localizers in that they translate the cultural framework across the organizational networks, rendering broader issues operable (Miller & Rose, 1992). However they are also globalizers in that they contribute to the strengthening or weakening of cultural meanings and values, contingent on the organizational space which they are able to acquire in the decision making center. Finally, our work provides evidence supporting the importance of a holistic research approach that considers the behavior of people and their interrelations, along with the technological solutions as they occur in historical events and cycles. This suggests that considerable intellectual benefits could accrue from contamination with other disciplines (such as anthropology), with a view to providing a rich, systemic, yet always contingent, explanations of risk management practice.