Organized Uncertainty – Designing A World of Risk Management

Risk has become a frequent and normal word to describe each and everything, especially matters concerning organizations or society at large. There is a real explosion of risk discourse, which is as vast as an ocean today, and accompanied by a “risk‐based re‐description of organizational and personal life” (Power, 2007, p. 1). This phenomenon does not really exist because risks would have increased, the author reckons, but more because there is a growing social demand or appetite for neoliberal ideas. Such ideas (like opportunity society, performance and value creation) and principles (like transparency, precautionary, etc.) have been translated in a new governance logic. This has led to a real organizational governance and then to a specific risk governance, acknowledged to be one of the most prominent features of organizational life in the contemporary era; risk committees did not exist ten years ago, but now, they have become mandatory! The stimulus of scandals and catastrophic events has triggered a “risk management explosion”, seen as a direct aftermath of the “audit implosion” analyzed in Power's previous research. Risk management concept and practice is today said to be pervaded by organizational defensiveness and a logic of auditability: “Organizations adopt rationalized approach to show that they have done everything that is reasonable because of fear of institutional sanction” (Power, 2007, p. 11).

There is seemingly some need for “a certain kind of rational organizational design” (Power, 2007, p. vii) which is to be found in risk management; a good reason to study it more carefully. Shifting from the logic of calculation and a “false precision” (life insurance as technology of government) to that of organization and accountability, risk management has been devoted a specific organizing power in the face of uncertainty, which is consubstantial to managing and organizing. Organized uncertainty is this specific process of arranging “risk objects” for the purpose of action and intervention, often thought of as machine‐like problem, with a direct but unacknowledged appeal to cybernetic models. But risk management, in addition to its lack of clear and common definition, as it is the case too with the concept of risk itself, “is always a practice under some description or other, a description which embodies ideas about purpose and which embeds practices in larger systems of value and belief”, (Power, 2007, p. 25). This is the reason why the author insists on paying specific attention to the process by which risk objects are conceptually constructed, neither taking their existence or meaning for granted:

This book focuses on the emergence and transformation of managerial categories and classifications which provide a basis for the legitimate organizational self‐description of risk management. [Organizational actors] produce a world in which conceptual objects of governance, organization, risk and management are being continuously co‐defined. Specifically, they construct an idea of risk governance which demands the rational design of risk management process (Power, 2007, p. 28).

This constant co‐definition would not be possible unless different actors can use “boundary objects”, categories spanning boundaries and of interest for a variety of stakeholders, whose ambiguity is, in fact, an asset used to organize what we do not know: uncertainty. One of such organizing concept is internal control, stemming originally from accounting. It has been gradually rewritten and reconceptualized as risk management, under the influence of governance issues and it has become some sort of a “moral technology” embedded within neoliberal regulatory strategy (“private government” or “soft law”). Succeeding in combining flexibility with information disclosure through self‐enforced compliance, this governance leads to the internalization of regulatory activities by organization and to the dissemination of best practices, where internal control (COSO I) is perceived as good self‐control. The internal audit function plays a special role in this venture where everything in organization is redescribed in terms of risk handling. The internal auditor is seen as a risk manager and is hence focused on business risk analysis.

The Sarbox regulation was instrumental in institutionalizing this merging of internal control, audit, and risk management in order to get uncertainty managed, by thinking it as if it were a risk with a specific probability and impact (as suggested in COSO II and its enterprise risk management framework or ERM). Internal control consequently offers a new grand narrative of control and:

[…] instrumentalizes neoliberal logics of governance. Good internal control is regarded as a signal of a certain kind of organizational virtue, and a potential platform for the representation and coordination of external interests (Power, 2007, p. 63).

ERM is actually an “umbrella concept” embodying at the same time risk calculation (notably in the financial industry through the definition and use of risk metrics like VaR and RAROC which entailed Basel II) and organizational processes (through the governance of risk metrics and risk mapping, understood as a mode of risk visualization). Such an organizational system requires a new promoter for this good organizational governance, an agent of change, role attributed to the chief risk officer. This system rests upon what Power calls “the moral economy of risk management” and its implicit or explicit celebration of the virtue of transparency and auditability in order to make internal processes visible. Responsibilization on strategic objectives and identification of risk owners is a way to ensure accountability to stakeholders: giving them accounts of how risk is managed. Concepts of operational risk and reputation risk are, too, boundary objects enabling the construction of manageability in banks and financial institutions. Reputation is even considered to be some kind of risk responsibilization, since one has to make his own reputation easily readable and auditable.

For Power, this discourse of ERM is a myth of control which serves to “organize organizations”, that is to organize uncertainty, thanks to a useful illusion of control. The question is not about measurement but about social demand for risk management evidence (accountability), demands for the management of the unmanageable (p. 180). This demand boils down to a political claim to accept organization as a major feature of our modern world. Risk may finally be seen as a mode of governmentality and as:

[…] as a continuation of control via the indirect technology of self‐audit. This mode of control relies on evidence and proof of conformity due to risk management process. The production of this proof in the form of auditable trails of process documentation is more significant than any external inspection (Power, 2007, p. 197).

Power (2007) offers an interesting overview of risk management evolutions during the past decades and its intimate links with corporate and social governance, named risk governance, a new way to tackle political issues, reframed as risk problems. The finally introduced concept of governmentality allows him to draw a portrait of modern business life sketched around the very concept of auditability which follows from that of accountability in the name of risk, through risk management procedures. Even if risk is an impossible thing and if the whole process would be better described as organizing what is truly uncertainty, far from mechanistic point of view. Such a broad concern for society, organizations and business had to be taken into account and reviewed in SBR.

Though Power arguments are quite clear and hard to dismiss, we wished that he would deal not only with the crucial issue of the implementation of ideas in risk management but also with the variety of real life implementation of risk management processes (we are not talking about systems, which would have been be too specific and narrow). If the author makes obvious the connection between risk management and control, he does not clearly relate his book to major works on organizational control, not even for criticizing them. Such a choice is a pity since the material was perfectly relevant for his topic. Moreover, his empirical domain of investigation is mostly that of financial industry (with references to public sector), leaving aside, for instance, food industry, heavy industry, etc. where risk metrics problems seem to be very different from financial industry and where regulations are not directly concerned by categories from Basel II (namely operational risk).

In the end, Power's book is illuminating and bringing in the foreground a highly relevant topic for today businesses and society. As a preliminary exploration of the ideas embodied by risk management understood as risk governance, the book is really worth reading even if we will be missing the flavor of field studies, because Power's aim was so broad and ideational. Anyway, this book may help debunk many ideas about risk and risk management, written by a talented management accountant and philosopher.