The formation of municipal risk management: a comparison of seven cities

Purpose – This study aims to explore the formation of municipal risk management (RM) and the reasons for the differences of RM practices between the seven biggest cities in Finland. Design/methodology/approach – The empirical data of this comparative qualitative case study comprises 33interviewsconductedwithmunicipalmanagers.Supplementarymaterialincludesdocumentarymaterialon municipalrulesgoverningRMaswellasannualreportsandrisktoolsusedinthemunicipalities. Findings – This study found differences in cities with respect to when, how and why RM practices had evolved.TheresultsindicatethatdifferencesinRMpracticesanddevelopmentpathsbetweencitiesarelargelyexplainedbythedifferencesintheoriginalreasontoinitiateRM,timespansinceitsintroduction,professionalandeducationalbackgroundsofriskmanagers,localriskeventsandaccountinginfrastructuresuchasRM toolsdevelopedinacity.Thesefindingsalsosuggestthatevenwithinthesamemunicipality,differentfunctionscanbeatdifferentphasesregardingRM. Originality/value – ThisstudyreportsonRMasanewformofaccountinginthefieldofFinnishmunicipalities. This highlights how fairly uniform considerations at the field level lead to variation in the elaboration of RM practices at the municipal level. The study finds that different paths in the development of local RM involve iterative evolution between the phases of emergence, largely explained by contextual differences. This study contributes to understanding the emergence of new accounting forms in a municipal RM context.


Introduction
Several studies indicate that risk management (RM) is becoming more important in both the private and public sectors (Hayne and Free, 2014;Hood and Smith, 2013;Oulasvirta et al., 2014).Despite the attention to RM in the public sector, in their literature review, Bracci et al. (2021) call for more research to analyze better the RM developments in the public sector, implying the need for qualitative studies, i.e. to open the "black box".Rana et al. (2022) also state that in the public sector, our understanding of risks is sparse and suggests more RM research, especially in the management of risks around essential public services.Nevertheless, only a few studies have investigated how new RM practices have evolved in municipal organizations (Oulasvirta and Anttiroiko, 2017;Vinnari and Skaerbaek, 2014;Bracci et al., 2022).In their recent study, Bracci et al. (2022) call for more fieldwork research "by considering the perspective of, e.g.politicians and/or functional managers and/or risk owners."Using survey data, Oulasvirta and Anttiroiko (2017) describe and explain the diffusion and adoption of RM innovation in Finnish municipalities.They argue that case-specific features play a key role in the process of RM development, thus signifying the need for specific field research on the subject.In this study, we will address this research gap.
In general, risk is defined as a possibility of danger, loss or adversity, which can be economical (monetary), operative (e.g.bankruptcy, injury and loss) or legitimation-related (reputation, etc. imago or political prestige) risk (Beck, 1992).In organizational contexts, however, the meaning of the concept of risk and the objects of risk are often socially constructed and depend on the moment, the field of operation and key personnel in the organization (Bhimani, 2009;Soin and Collier, 2013).The meaning, dimensions and prioritization of risk can be different in municipalities than in companies.For example, municipalities are not driven by profit maximization goals and are also influenced by heightened political reputation risk.In the public sector risk is usually understood in terms of failing to deliver public services (Black, 2005).
RM systems are often triggered by external pressures or regulatory demands (Carlsson-Wall et al., 2019), particularly in the public sector.One example of regulatory demands initiating accounting change is the Finnish Municipality Act, which dictates that the municipal council is responsible for organizing the principles of internal control and RM in the area of the municipality (410/2015; although the Finnish Act 325/2012 had already introduced RM to municipalities).Power (2015) calls this kind of field-level regulatory change as policy object formation that sets the stage for local adaptation and implementation of the regulatory objectives.In terms of institutional theory, shifts in field-level institutions such as regulations carry a coercive pressure to adjust rules and routines present in an organization (DiMaggio and Powell, 1983;ter Bogt and Scapens, 2019).Ensuing activities at the local level (in our case cities) involves activities to address the changes in the legislature.These activities are carried out through local actions and rules (ter Bogt and Scapens, 2019).At this phase, activities are often iterative and do not yet constitute a practice (Power, 2015).Rather, often ambiguous policy objectives set in the regulation are translated and elaborated at the local level into activities that contain capability to be reproduced through repeated actions into routines that can stabilize to form an institutionalized practice (Power, 2015;ter Bogt and Scapens, 2019).
Activities that address regulatory changes often involve different frameworks to guide activities.While several risk assessment frameworks have been designed and applied in the public sector (see, e.g.Lapsley, 2009;Andreeva et al., 2014;Carlsson-Wall et al., 2019;Palermo, 2014;Woods, 2009;Power, 2004), the risk templates and tools used in managerial decisionmaking are often relatively simple, focusing, for example, on the probability and impact of risk (e.g.Jordan et al., 2013).Power (2009) notes that the security obtained from RM is limited as not all eventualities can be anticipated.Abernethy and Chua (1996) noted similarly that the development of organizational solutions is often iterative and "does not follow a nice, neat and sequential series of steps" (p.569).This implies the possibility of variation in the way that risk is conceptualized and how RM may take place in different public sector contexts.
This paper aims to shed light on how the relatively new practices of RM in the case cities have evolved.This explorative study relies on a field study with features of a comparative case study approach to illuminate the situational complexities that could explain the differences between new practices and the paths that have led to these practices.The study utilizes Power's phases in the emergence of new accounting forms framework.We illustrate the evolution of RM practices in the case cities particularly through object formation and object elaboration phases (Power, 2015), while also combining theories on institutional change (ter Bogt and Scapens, 2019;Lounsbury, 2008;Suddaby et al., 2015) to aid our analysis.Our research in Finnish cities shows that the formation of RM had many paths (with multiple conditions of possibility, see Camic and Gross, 1998) that affect the developments at multiple phases.These possibilities and resulting differences between cities are explained particularly through case-specific (local) differences and the actions that risk managers in different cities initiate (c.f.ter Bogt and Scapens, 2019).We illustrate the differences in the institutional practices resulting from the routinization of local actions and analyze how the evolution of RM may involve iterative evolution also between the phases of emergence (c.f.Power, 2015).Accordingly, our research questions are: RQ1.How have RM practices evolved in the case cities?
RQ2.What accounts for the observed differences in RM practices between the cities?While Power's (2015) model explaining the phases in the emergence of accounting forms is required to understand the evolution of RM practices, institutional theory is required to understand what influences changes in RM in the case cities.We utilize particularly the ter Bogt and Scapens (2019) extended framework to aid our institutionally informed analysis for understanding change and stabilization of practices.
The paper proceeds as follows.Section 2 of the paper presents public-sector RM research.Section 3 describes the theoretical framework, and Section 4 focuses on our data and methodology.In Section 5, the paper presents the qualitative field study through the perceptions of risks and practices of risk managers in the seven case cities. Section 6 provides a discussion in the context of public sector RM literature with concluding remarks in Section 7.

Previous research on public-sector risk management
The increasing focus on RM in public sector organizations can be understood as a change program flowing from the new public management agenda (Hood, 1995;Lapsley, 2009).A growing body of literature illustrates the development of RM in different countries and sectors of public service delivery (Woods, 2009;Hood and Smith, 2013;Palermo, 2014;Oulasvirta and Anttiroiko, 2017).Regulatory initiatives and the practicing organization also play a key role in driving the development of RM in the public sector (Carlsson-Wall et al., 2019;Committee of Sponsoring Organizations of the Treadway Commission, 2004).
According to Soin et al. (2014), the discourse of risk and the way it is managed is not always a feature of the wider management control framework in organizations.Lapsley (2009) noted that techniques derived from the private sector expanding into the public sector in the wake of the new public management approach include RM, risk control and risk audits.These, however, may direct the focus of operations away from the core processes and practices (Lapsley, 2009;Olson et al., 2001).Rana et al. (2019) suggest that government entities need to embed RM within management control systems to identify and manage risks.Oulasvirta and Anttiroiko (2017) suggest that local governments are slow to adopt RM practices if they are not obligatory.Further, they note that differences in RM development in the Finnish public sector may be due to the different financial situations of the municipalities and other case-specific features, even if they do not specify them in detail.They note that the size of the municipality does not necessarily explain the RM differences in municipalities and thus note a need for further research through more in-depth methods, such as qualitative case studies (Oulasvirta and Anttiroiko, 2017).To study the phenomenon deeper, we conducted field research via 33 interviews in the seven biggest cities in Finland to ascertain the various meanings of risk, the development paths of RM practices and the ways used to manage risk.
In general, the board of the organization is responsible for organizing and regulating RM practices.Yet, Anderson and Eubanks (2015) distinguish three lines of defense in RM where the first line of defense is the operative/line managers, the second line is the risk officers and the third line of defense is the internal audit function that monitors RM practices and reports to the board.
RM in the public sector is challenging owing to the democratic, non-profit nature of the sector and the complexities involved in determining the far-reaching consequences of actions, for example, on public well-being (e.g.Lapsley, 2009).In addition to COSO ERM, there are several other, often mechanical, frameworks for control, internal audit and risk assessment, such as control packages, risk maps, control cubes and risk reporting frameworks (see Lapsley, 2009;Jordan et al., 2013;Malmi and Brown, 2008;Rautiainen et al., 2015;Spira and Page, 2003;Hall et al., 2015).For example, the COSO framework is a well-known framework including several analysis categories, such as internal environment, objective setting, event identification, control activities, communication and monitoring at multiple organizational levels.In contrast, the framework presented by Jordan et al. (2013) focuses on risk maps with two dimensions addressing the probability and impact of risks.Bracci et al. (2022) studied the integration of RM and performance measurement (PM) systems and showed how different types (collaborative or competitive) of boundary work explained the creation of shared contexts and eventually the integration between RM and PM.This illustrates how different models may be created through the collaborative work of associated actors.Power (2004) calls for intelligent RM practices able to overcome the narrow control-oriented view.He also emphasizes the reputational risk in the public sector, in which an economic sanction of lesser importance can cause a loss of political reputation through the loss of legitimation.Various forms of certification and quality projects are increasingly implemented to control such reputational issues, especially in universities (Power, 2004;Power et al., 2009).Power (2004) notes that internal controls and various types of audits have become important elements of organizational processes and that reputational risk "increasingly pervades organizational life at all levels of society," and also notes that RM can be seen "as a defensive reaction to an increasingly demanding environment" (Power, 2004, p. 64).However, Power (2004) also remarks that RM is not just a matter of internal control.Instead, political culture and general reactions to uncertainty and failure require attention and development and that accounting is essential to provide relevant information on strategy and risks.
However, the focus of accounting research on risks has been more on how practices begin and develop and how infrastructure affects them (Power, 2009(Power, , 2015) ) or on examining the influence of organizational culture in not-for-profit organizations (Chen et al., 2019).Mikes (2009) noted a growth in calculative practices, which could lead to the formulation of a culture of excessive regulation (Power, 2004(Power, , 2007)).Lapsley (2009) and Olson et al. (2001) warned against excessive regulation, such as increasing controls and RM, which can reduce the resources available for key operative processes.Further, people safeguarding their position and avoiding personal blame can encourage a culture where seemingly transparent reporting does not really improve operations but is instead used to shift blame around networks of organizational stakeholders (Hood, 2007).In addition, in their study, in a Finnish municipality, Vinnari and Skaerbaek (2014) argue that RM itself can further uncertainty when the RM frame collides with another frame, such as those shaping political decisions or regulations.Finally, Power (2009) argues that the security obtained from the use of RM practices is limited at best and only applies to some parts of the world.The same author also advocates incorporating psychological factors and human behavior considerations into RM models to counter all eventualities not being foreseeable.
To sum up, earlier studies have defined elements of RM.The body of accounting literature on RM practices has identified several issues and possible outcomes in implementing RM frameworks in different organizational contexts.Yet, calls have been made on understanding RM developments and practices of key actors better (Bracci et al., 2021(Bracci et al., , 2022)).Therefore, to study the actual practices of RM in our municipal organization context, it is important to understand how activities of organizational actors lead to new RM practices, while paying close attention to field-level institutional shifts that drive these developments.This enables us to illustrate the issues behind the differences and variations in RM developments.
3. Theoretical frame: the emergence of new accounting forms Our field study draws on Power's (2015) framework explaining the beginning of new forms and practices in accounting and also theories on institutional change (Lawrence and Suddaby, 2006;Lounsbury, 2008;ter Bogt and Scapens, 2019).Power (2015) points out that it is very difficult to say where accounting begins, although 40 years of research has unveiled the processes and features of accounting change.Power's (2015) framework outlines the phases preceding the emergence of new accounting forms.The four phases are object formation; object elaboration; activity orchestration; and practice stabilization via infrastructure (Power's, 2015, pp. 44-45).Typically, the process begins with problematization at the field level.That usually involves formulating policy problems and proposing possible solutions in the object formation phase.At the organizational level, the process continues with object elaboration, where the pressure for change may come from multiple sources.Ter Bogt and Scapens (2019) illustrate that institutional pressure for change may come from both field and local levels.As an example of field-level pressure, they note governmental regulations.According to them, institutional research has somewhat neglected contextual analysis at the local level (organizations).Power (2015) sees that object elaboration is partly conducted at the field level, but organizational situations are heterogeneous and differ between organizations, making policy problems and practical solutions difficult to understand.Practice variation between organizations may be the natural outcome of difficulties in internalizing the policy objectives and meeting the new requirements for the production of new organizational knowledge.In this study, we emphasize the role of local actors, practices (c.f ter Bogt and Scapens, 2019) and specific and severe events (local risk events and their interpretations, e.g.regarding terrorist attacks or extreme snow storms) that may change the way risks are perceived or prioritized in the object elaboration phase.
The third phase in the emergence of new accounting forms is activity orchestration (Power, 2015).Templates are often used in this process, as they make information management easier.However, ensuring new information can be collected, reported and understood is often a demanding exercise involving considerable uncertainty.Initiating new accounting practices is often an iterative process that resembles trial and error more than mere technical implementation of new tools.Those activities that end up being repeated, for example through their utility, may become routinized into institutionalized rules and routines in an organization (ter Bogt and Scapens, 2019).The fourth phase, the stabilization of new practices at the organizational level, is highly dependent on information systems, guidelines or other accounting infrastructure and the institutionalization of political needs and rational myths related to the new form of accounting at the field level (Power, 2015).
The phases are not necessarily taking place in a completely straight-forward way because there can always exist multiple conditions of possibility (see also Armstrong, 1994;Camic and Gross, 1998;Modell, 2017) as drivers for change.The conditions of possibility for a particular project include other projects, society, external forces and historic legacies (Camic and Gross, 1998).For example, existing accounting forms and infrastructures in an organization may affect RM development.Further, developments in society and science, external events and forces and also historical developments and narratives about them can affect the development of RM.
Practice variation, e.g. in organizational behavior or in cultural frameworks, stems from both proactive changes and natural dispersion in human reproduction of rules and routines, but also from variation in the perceived pressures or logics (see Arena et al., 2010;Lounsbury, 2008;ter Bogt and Scapens, 2019).The cultural frameworks are created and gradually

Municipal risk management
changed by these, often minute, differences in reproducing the practices in different organizations (Lawrence and Suddaby, 2006;Lounsbury, 2008;ter Bogt and Scapens, 2019).However, different institutional pressures or professional logics (e.g.created by actors' differing roles or educational backgrounds) might also explain the variation of practices (see Lounsbury, 2008;Miller et al., 2008;Suddaby et al., 2015).Therefore, RM practices in municipalities may also be subject to constant adjustment, further contributing to practice variation (see also, Tekathen and Dechow, 2013).
Rautiainen and J€ arvenp€ a€ a (2012) emphasize the different institutionalized ways of decisionmaking (could also be considered as rationale, see, e.g.Vaivio, 2008) among actors in explaining practice variation evidenced in the performance measurement of different municipalities.This suggests that the functions in municipalities assess potential risks differently; for example, a risk assessment and action plan in the technical services function might differ from one in the education function.Further, institutionalized practices and the infrastructure can differ at the organization or organizational hierarchy levels, which can affect the adoption of new practices, such as RM tools (see Power, 2015).Such risk tools involve developing organization-specific measures and common calculative practices (see Mikes, 2009).Lounsbury (2008) argued that institutional studies have been too focused on organizational isomorphism and mimicry (see DiMaggio and Powell, 1983), while situationspecific and change-centered studies remain scarce.Lounsbury also reported earlier research demonstrated how practices spread through various fields but overlooked the decisionmaking role of individual managers in heterogeneous situations.Similarly, ter Bogt and Scapens (2019) note that institutional research should account for local differences while recognizing the field level influence on local organizations.Miller et al. (2008) noted that much of the earlier RM literature directed attention to formal processes and standardization between organizations.Instead, in our research, we particularly focus on the phases preceding institutionalization of RM at the local (municipal) level.

Methodology and description of Finnish municipalities
This research uses a field study utilizing features of comparative case research (see Yin, 1984).Vaivio (2008, p. 65) noted that qualitative case-based research typically, "relies on rich empirical material collected from a single target organization or a handful of case organizations . . .It uses multiple sources of evidence, such as interviews, documents and other texts as well as forms of participant observation within the research site."Qualitative research can be used to examine poorly understood phenomena and is suitable for studying complex social settings in which causal relationships cannot easily be observed.
Our field study addressing RM in Finnish municipalities took place in the seven biggest Finnish cities between 2017 and 2019.The population in our case cities varied between 140,000 and 645,000 people.In Finland, all cities can be called municipalities, but not all municipalities are cities.A municipality can decide it should be referred to as a city if it is deemed sufficiently large in terms of population and services provided.There are no clear guidelines as to a sufficient level of services or population, but all the largest municipalities in Finland have nominated themselves as cities in addition to their municipal status.In Finland, the distinction is mostly historical, as, in the past, city status enabled a municipality to trade with other legal entities.
Our extensive empirical data includes 33 semi-structured interviews conducted by all the authors with municipal managers at different organizational levels (see Appendix 1).Some interviews resembled an active discussion more than a recording of precisely formulated questions and responses.This approach made it possible to examine the topic from different angles (Alvesson, 2003).We obtained permission from all the interviewees to record the interviews and provided assurance that no single person could be identified from the data.We mainly used interview data but also analyzed some documentary data (such as annual reports, internal city reports, policies and guidelines and risk calculation documents) in accordance with case study principles (see Yin, 1984).These documents describe RM practices in our case cities, for example, with Microsoft Excel sheets of the various risk tools or risk profiles, e-mails, descriptions of internal control practices in cities and administrative policy papers.Further, one member of the research team worked earlier in the administration of one case city, facilitating participative observation, contacts to the cities and thus our wide data and good access to the cities (also improving the reliability of the study).
Following the transcription of the interviews in our seven cities, each researcher reviewed the interview material and sorted the collection of remarks into themes.After that, the researchers compared themes between themselves to enhance the validity of the interpretations.Accordingly, the analysis of interview data included features of content analysis, such as categorization and ethnographic analysis, including trying to understand the socially constructed organizational reality of interviews (e.g.Silverman, 2001, pp. 122-129;Golden-Biddle and Locke, 1993).
The municipal council supervises the implementation of RM and other guidelines set by the Finnish Municipality Act.In all case cities, there is an official with the title of Risk Manager or Risk Officer.The Finnish Municipality Act (410/2015) dictates that the municipal council is responsible for organizing the municipality's internal control and risk-management principles (Finnish Municipality Act, ch.4,para.14).
In the municipal RM context of our study, the Finnish Municipality Act can be seen as the first (field-level) phase (object formation) in the phases in the emergence of new accounting forms framework (Power, 2015, Finnish Act 325/2012).The emergence and refinement of the Finnish Municipality Act as an instrument of RM in cities has become a widely operationalized accounting form.In 2012, the Finnish Municipality Act was changed to include requirements for RM and internal control (Finnish Act 325/2012); however, two pioneer case cities among our seven cases -Cities A and Bhad compiled RM guidelines also earlier.

Formation of risk management in seven cities
Our interviews and document analysis revealed differences between the cities in terms of their willingness to address RM issues.For example, some cities (i.e.E and G) had proactively addressed RM issues before the new municipal act made it mandatory to do so.In the interviews, we concentrated on the following theme areas; interpretation of the concept of RM, the RM practices in use, the frameworks used in RM (including risk charting and measurement), the use of RM information in political decision-making processes and city management and the influence of RM in city management.
Regarding the development of RM in case cities, we asked questions about the development of RM practices in each city, the possible use of consultancy services, the development of different risk scenarios, etc.In the case of the frameworks used in RM, including risk charting and measurement, we asked about the various frameworks (e.g.COSO) and software used and the use of risk indicators or measures.Reporting practices, the development of risk reporting and decision-making processes were also discussed.Finally, we asked about the influence of RM on city management.We will now move on to discuss our empirical findings.

Variation in the perceptions of risk
The role of RM and its various issues was a major theme raised in the interviews.We noticed variations in practice, that is, differences in the object formation and object elaboration phases identified by Power (2009).Further, we saw issues with implementing RM practices in the case organizations, for example, in persuading particular professionals in various sectors of the organizations to accept responsibility for such practices.The issues seemed partly to result Municipal risk management from ambiguous responsibilities and instructions from the governing officials of cities.
In addition, interpreting the provisions of the Finnish Municipality Act was quite challenging.The case cities in our field study had different resources and organizational forms for RM, and different understandings of the concept of RM and variations in how RM practices had evolved.In some cases, certain events where risks had actualized had a major impact on starting RM programs.In other cases, RM was understood as a part of the ongoing administration process, that is, not as something requiring any specific new treatment but as manageable through the continuation of existing practices.
Since this January, I have been ten years in this job as a risk manager; before me, nobody had this job.It means I have started this out of nothing, it has been a wonderful thing, and this, I think the impulse has come from the security side. . . .an employee was stabbed in social services (when doing work) . . .which started this kind of security development in (case City D). (Risk manager, City D) A raising trend in the recent years has been threat of violence, even the threat of terrorist acts, drug injection needles, and sexual harassment.(Internal control manager, City F).
The stabbing incident (in City D) or the threat of violence (in City F) can be seen as an external force or a local risk event; something that conditions how risk is understood and addressed.Such case-specific features or risk events affect the object formation and object elaboration phases.In this case, the focus of RM discursive practices shifted from economic risks toward understanding risks primarily as safety and security issues.
Well, first, I would say that now it (risk management) has been highlighted, but we have always had it. . . . it has been built-in thinking all the time.When we prepare for things, especially financial issues, it is, of course, essential to think about the risks.(Financial manager, City A) We have (in our city) COSO ERM -framework and also ISO 31000 -standard in use.The aim of these are that risk management would not be an unattached activity that would vary a lot.(Internal control manager, City C).
All the case cities had created a risk manager position.This position typically started in close relation to internal auditing by dividing the duties between the two functions.As the internal auditor is required to be independent of the management, a new role for risk manager was necessary to entail a role of internal consultant on the matter.
Before me, in this city, we didn't have any risk management chief position, but it was a new position in which I started.Yes, I was working under the director of finance, he was already trying for many years to get permission to create this risk management chief position, but at that time, there was no green light for that.It means, in practice, there were no city-level risk-management procedures before that (2015 municipal act).Of course, we have estimated risks (before) as part of several processes.(Risk management chief, City B) Amongst other things, since 2014 each field of operation, all the strategic business units of our city annually make their risk assessment using common risk tools . . .we have altogether almost 20 units including energy, water supply management, harbour, etc.We have a common risk matrix in use in which we can compare certain risks between the fields.(Risk manager, City F) In addition to the new risk manager positions, another new organizational arrangement was the formation of a steering group for RM in some cities (e.g.City B).The group usually had authority over RM, but in some cases, the group operated only for a few years before being terminated.Such a steering group, however, provides support and structure to RM and thus suggests a more mature phase of RM developments in the municipality than the risk manager working alone.
We should have a steering group for risk management.We don't have one, at least we haven't had any meetings for the last half year.There might have been (a steering group) but then it came to nothing because some important person withdrew.It would be absolutely important that kind of person would unite the different fields of operations, organize a common forum in which we can experience things from bottom to top, and also take the message forwards.(Auditing chief, City A).
Well, roughly speaking, the division of duties is so that the instructive and coordinating role (of RM) is my responsibility.Then we have this kind of risk management steering group, since 2014, in which we have all the branches of activities, some municipality enterprises and other important stakeholders represented.This steering group supports me in my job so that the distinctive features of different branches are taken into consideration.(Risk management chief, City B).
The concept of risk was understood differently in the various service sectors.In case City A, for example, risk control varied from locking up the hazardous substances in a certain school class after a chemistry class to anticipating the effects of a big winter storm.
Risk number one is a bad winter storm on the weekend.If we have 1 meter of snow on the roads, the problem is that the rescue vehicles can't move in the streets, the hospital personnel can't go to work, and the help service of the elderly can't reach the people etc.This can cause life-threatening problems.(Manager, field of operation, City A) The general perception of risk varied from tangible issues to abstract ones.
I think it (risk) means that people should know that they should do something, but I don't know what they should do in practice.I mean, implementing is the thing that is really not ready yet. . . .For example, our instructions, the instructions of our internal control, is such that it isn't said what I should exactly do in this phase.I see that the person who is not (the professional) doing it as his fulltime job is not so interested (in risk management) in the work if nothing has happened [laugh].(Auditing chief, City A) In our case cities, the interviewee's position influenced the meaning they ascribed to risk.Financial managers saw RM as involving nothing new, but those staff members often limited their attention to economic issues.Risk managers usually know the risks of their own sectors very well.The interview data we obtained illustrate that comprehensive RM and the different meanings of risk are at the hub of RM.
I think some people may think of risk management as economic risks, but it is a very small part of it.I believe that the field of operations understands that through their own doing.Many people understand risks as safety at work issues, for example, fire stations and rescue stations.For them, it is a more natural way of thinking (risk management issues).(Auditing chief, City A).
. . .I maybe see that, in my opinion, risk management is, before anything, a systematic procedure to identify targets that have been set, the continuity of operations, resources, people, property, and the threatening factors.(Risk management chief, City B).
One of the interviewees, the financial manager in City A, had been tasked with RM, in addition to his other duties.When asked about the meaning of RM, he commented: Well, for example, when you think about tax revenues and try to estimate them, then I think about the risks in that it (expected level) does not materialize.Then the state subsidies.Then all the risks fall on the expense side.There is always the risk that you cannot perform all the things that were planned.(Financial manager, City A) Risk manager in City E also highlights the financial risk and IT -risks: The risks regarding finances are always big.But now the state of the economy is in good, strong shape in our city.And, well, the economic risks have been very critical and important for a long time.These are the risks we have traced.Risks regarding information technology and data security are also very important . . .We dig and build a lot and if we cut an important cable and (in our city), a big data communication blackout might occur.(Risk manager (public utility 2), City E)

Municipal risk management
Understanding the meaning, resembling the object elaboration phase (Power, 2015), of risk seems to affect how the management of risk is organized and which risks are focused on.When risk is understood as possible damage or employee injury, it is usually organized as part of the financial organization.However, when risk is understood as an issue that hinders the achievement of organizational goals and objectives, it is organized as part of the general management of a city and the service organizations belonging to it.Further, the risk planning and reporting practices often become more formal after the organization has orchestrated activities relating to it through templates and required activities.
In our city, we make a risk management plan in May . . .and then in relation to the financial statement we do a report about the realization of the risks.(Internal control manager, City F) Cities that were already far in the process of developing RM measures illustrate how calculative practices achieve organizational significance through specific tools and techniques developed and used for risk assessment: In our various management boards, from time to time, we typically follow ten most important risks, and their realization and ponder them using a traffic light technique [red, yellow, green].(Field manager, City G) This study illustrates the development paths that our case cities have progressed through in relation to RM (Appendix 2).The table in Appendix 2 illustrates the moment when each of our case cities implemented RM practices in their organizations.Interestingly, object elaboration phase of RM in the case cities often began with risk being understood as narrowly related to a particular function.For example, threats to personnel in Cities D and F triggered the formation of security-focused RM, whereas in Cities A and E RM had been developed in relation to the economy and, in particular, the planning of large investment projects.
We found the case cities had some difficulty implementing new RM practices.One such issue was how to persuade people in various sectors to take responsibility for RM practices.Part of the problem was a pluralistic understanding of risk as well as ambiguous instructions and hence a lack of clarity about the responsibilities.In addition, the interpretation of some sections of the Finnish Municipality Act (after 2012) was challenging, leading to different cities acting on different interpretations.

Methods of risk management
Field-level laws or other existing infrastructures have often been the starting point of emerging practices (see Power, 2009).However, the activity orchestration of emerging RM practices and tools in our case cities also relied on the existing tools and operational models of internal auditing and budgeting.Recently, some of the case cities have used ISO standards and COSO ERM as guidelines to stabilize their own local RM practices.There were also practices, where RM was integrated into financial planning cycles and reporting infrastructures.
This has been quite theory-driven.We have tried to use the models, COSO and other possible models, and also tried to use the documents used in other cities.Our documentation is quite, well . . .we haven't used ISO-standard yet, but we know its meaning . . .(Auditing chief, City A).
In all cases, the work resulting from identifying the need for comprehensive RM in the city needed a dedicated actor for object elaboration and activity orchestration, while enabling practice stabilization required related accounting infrastructure.In order to form RM routines, risk managers sought allies in the organization and existing infrastructures that could be used to form stable practices in RM.Risk managers initiated development projects together with the managers of the service sectors.They started by listing different risks and evaluating them systematically.These kinds of activities may lead to variation in understanding risks and, in part, explain the way analyzing and presenting risks vary between cities.
The professional background of risk managers can be seen to have contributed to the understanding of the essence of RM in the organization, and the means considered suitable for solving this problem of governance.The risk managers with security (City E and F), police (City C) or military (City B and D) backgrounds focused strongly on security issues even if their job descriptions covered RM more generally.The financial manager (City A) who had been charged with establishing an RM process seemed to think of the risk in financial terms as concerning expenses and revenues.
As the global political situation changes, there is urban safety development work together with other authorities, and emergency planning.As a city, we have to be prepared for various emergency-and critical situations. . . .today I was in the management board reporting about security situation, which included an overview on terrorism and immigration and also about our domestic extremist groups, such as the extreme right and left.(Risk and security manager, City C) Typical feature of a city organization in Finland is the role of city council and the functionspecific RM in approving the procedures for formal guidance.To enable this, a method of risk measurement, analysis and risk reporting method had to be defined.There are several frameworks used in the city organizations, such as quality standards or COSO ERM.Some of the tools or practices have been adopted by some other municipalities too, implying mimicry as a source of shift in activities.
I would say . . .we have constructed this to be quite unique.And we haven't really copied anything from anywhere.Now I notice that our risk circle [a risk analysis tool] seems to be in quite a few municipalities and cities as a basis.I have also seen consultants use it.I know that because there are certain terms used that nobody else uses, like "the security of the service production."(An internet search shows) those words have been used now and then in various presentations, and I think others have copied us more than we have copied others.(Risk management chief, City D) Well, we have been actively developing risk management for the last two and a half years.Before that, there was also development, but then we took applicable parts of the COSO ERM framework as a basis, and then also the ISO31000 standard.Through using them, we strove for risk management to be uniform across our service sectors; that is, there would not be a lot of variation.And actually, this would be the basis for what risk management is (here), so these principles of internal control and principles of risk management have been accepted for use by the council of (the city).(Internal control manager, former risk manager, City E) We identified a number of issues within integrating RM practices into city management and PM practices that the interviewees considered needing further development.For example, the instructions for conducting RM and integrating it to city reporting were considered very cursory.
When they say in some instructions concerning the composition of the budget that every field of operation should do risk mappings, report the three most important (risks), and make plans for them, then the people don't know in practice what they should do . . .(Auditing chief, City A).
The administration ensures RM is associated with the annual planning cycle.When RM is integrated into the annual planning in the city, it becomes one of the management processes and may be related to other IT and reporting systems and development processes (see also Bracci et al., 2021).However, this area also seems to require further development.
During the annual surveys, they asked us to follow up.But we don't have such follow-ups.(Auditing chief, City A).

Municipal risk management
We also found some problems in the attitudes toward RM.The employees did not recognize the benefits of RM or consider RM part of internal auditing.
And it is a boring thing . . .what is the point of it . . .we don't want to report it.Maybe we know and recognize it unconsciously, but they don't want to report to us (city management).They think that it will cause extra work when somebody comes to check things.The previous culture was that the auditor was traditionally just like this, a spy or stalker.(Auditing chief, City A).
Further, we found differences in the use of RM tools, even within the same city.Based on our interview data, in addition to the COSO ERM framework used by City C, for example, in the technical field (land use, road maintenance, etc.) of City A, a risk assessment based on effect and probability was conducted (see Appendix 3).
We use a scale of 1-5 for probability and for effects . . .typically you need to get at least 3 in both to be of importance (Manager, field of operation, City A) We opened a new school two years ago but there was mold on the school.It was a piece of [vulgar word].I admit that the construction building work was not supervised properly.The school was closed after two years usage.Somebody must do the RM work much better!(Internal control manager, City G).
The risks might be different in financial and environmental terms.Therefore, the risk scores for different types or categories of risk might be analyzed separately.Further, City C color codes its risk issues as red, yellow or green depending on severity.In addition, City C color codes an issue as blue if the risk offers opportunities and potential for development.
If we go to the red side, it causes an operative, financial, or another negative impact.If we are on the green or even blue side, we see . . .significant potential to benefit from the operations or the situation.
(Internal control manager, City C) In summary, the RM practices in our case cities differ in integration type, either as part of the internal audit tradition or of management operations.Being part of the internal audit tradition, of course, makes available auditing tools, such as the COSO ERM model but the opportunities to make a strategic impact might be greater if RM is seen as an aspect of strategic management.Our case organizations were using several different RM tools and practices, and the various service sectors understood the concept of risk differently.

Discussion
This study reports on the beginning of RM in seven Finnish municipalities.Accordingly, it adds to the literature on the adoption of RM (Spira and Page, 2003;Mikes, 2009;Jordan et al., 2013;Hayne and Free, 2014) as well as the dynamics at the beginning of accounting (Power, 2015).The impetus for embarking on RM varied in our case cities in terms of the starting time and the actual reason behind it.Some of our case cities were motivated by some adverse event to initiate RM programs, while others had started to formulate RM even before the municipality act.Case City G had initiated a RM program well ahead of others, as part of general management development, looking also at, e.g.best practices in the private sector at the time.Further, one interviewee from City D had noted adopting best practices, even imitation of guidelines and practices, among Finnish cities.Instead of emphasizing the municipality act alone, we show how external forces or historical developments, such as local risk events condition the ways of discussing and understanding risk, thereby highlighting the object formation and affecting the object elaboration phase so that the understanding of risk may focus on, e.g.toward understanding risks mainly as safety risks.
Here the external forces mean, for example, general threat of terrorism, and local risk events refer to actualized risks like data communication blackout or stabbing.
Further, we note that the organizational activities feedback into the earlier phases, e.g.elaboration phase or activity orchestration.This highlights how changes in activities at the local level may result in new paths for routinization (ter Bogt and Scapens, 2019).We also noted that in some cases, cities started RM from activity orchestration without a clear elaboration phase, while RM was elaborated through activities conducted later.Thus, the beginning of a new accounting is not necessarily a straight-forward process, as depicted in the original model by Power (2015).
Theoretically, RM frameworks are gradually changed by the small differences in reproducing practices (Lounsbury, 2008).However, this paper highlights how local risk events, institutionalized forms of decision-making (see also Miller et al., 2008;Suddaby et al., 2015) and the role of organizational actors (i.e.risk managers) explain much of the variation in RM practice.Analyzing local RM practices illustrates the context-specific differences as a source for varying possibilities in routinization of activities and answers the call (by ter Bogt and Scapens, 2019) for research on local variations in institutionalization processes.Risk managers' career-and educational backgrounds seem particularly influential.Bracci et al. (2022) use the term risk expert but it is noteworthy that the risk managers in our Finnish context were not uniform risk experts regarding their backgroundand focus.
The seven cities studied had taken markedly different paths to arrive at their RM programs, thus representing differences particularly in object elaboration and activity orchestration phases concerning RM.Differences in risk manager background, local risk events and accounting infrastructure, such as RM tools developed in a city in reaction to legislation have influenced the phases that cities have gone through while developing their RM.While some of the cities started their RM program relatively late and more directly from activity orchestration by creating a risk manager position (C and D), City A had conducted object (RM) elaboration by starting from internal audit guidelines.City B started from implementing methods of fair administration, which suggests an activity-oriented ethicsbased approach to RM.However, only the "forerunner city" (City G) in terms of RM had created express ethical principles governing the issue by 2016.Our paper sheds light on the expertise required to put RM into practice.We agree with Palermo (2014) that the use of RM tools is dependent on elements such as prior professional expertise.
The case cities had both external and internal reasons for creating the new risk officer role.The external reasons are mainly related to the Finnish Municipality Act (Finnish Act 325/ 2012) requiring municipalities to establish RM practices, constituting a field-level institutional shift.An internal reason was the need to increase the independence of the internal audit function from the city management.This is exemplified by most of the case cities having internal audit guidelines in place before the risk manager position was created.
There were no dedicated RM information systems in use in our case cities; that is, there was little infrastructure to assist in the stabilization of RM practices (cf.Power, 2015).The risk officers were aware of such tools but were reluctant to invest in new software, preferring to continue to use local reporting tools based on Microsoft Office applications.Although there were no incentive schemes linked to RM, the responsibility associated with it suggests that someone would be held responsible if avoidable accidents or events with a severe negative impact occurred.The municipal RM guidelines were often developed by imitating (see DiMaggio and Powell, 1983) those in place elsewhere.The current research reveals that, since field-level regulations did not provide specific guidance on RM, local-level guidelines became an important part of the infrastructure supporting the elaboration and stabilization of RM practices.As such, this paper also answers the calls for research on the new RM in the public sector (Carlsson-Wall et al., 2019) in terms of how local solutions and field-level regulations interact.
We observed differences among our case cities regarding the beginning of RM, corresponding with different phases of RM.Table 1 illustrates differences in RM phases, resources, processes and the rationale and focus behind RM.We interpret these differences in

Municipal risk management
Table 1 as suggesting that RM development starts from different emphasis, based on contextual differences.Concerning Power's (2015) framework phases (object formation, object elaboration, activity orchestration and practice stabilization via infrastructure), a newly formed RM practice involves object formation and elaboration phases being intertwined and in progress.Later, the organization-specific RM practices and tools are created, with some effect on the conceptualization of risks (potentially affecting object formation reciprocally).Then, in what might be seen as more stable RM, the conceptualization of risk and the practices become institutionalized, being stabilized via infrastructure (see Power, 2015).We argue that at this stage of RM, organization and integration with other accounting and management practices become established and also subject to benchmarking by others.
Our comparative analysis led to finding municipalities with low integration between RM, PM and reporting (City D with security focus), with only limited resources dedicated to RM.We also found cities at the stabilization phase (these could be referred to as the forerunner of advanced cities, i.e.City C and G) where the integration of RM and other management processes was better developed, the perception of risk was wider (including, e.g.financial, security and abstract image etc. risks) and also more RM resources were available.Some of our cities (e.g.City E) were orchestrating calculative practices in their RM, while moving toward stabilizing these practices.Based on this, we have analyzed RM practices found in our case cities in relation to Power's (2015) framework on phases of emergence (see Table 1).
When RM practices were still immature and in the process of being elaborated at the local level, RM relies on ad-hoc analysis and an often-mechanistic understanding of the subject.This would often be the case if there are, for example, no steering groups or COSO etc. models used to support the work of the "lone" risk manager.Cities that were in the process of developing RM measures illustrate how calculative practices achieve organizational significance, thereby representing activity orchestration where RM has been elaborated through for example audit guidelines (see Mikes, 2009;Power, 2015) these processes are carried out in an uncoordinated way, although such calculative practices may be important to the long-term creation of RM know-how.More mature RM is integrated into budgeting and managerial practices, and the focus of risk analysis is not only on safety and economic risks but also covers image and the strategic and political aspects of risk.This type of RM has more stable, institutionalized infrastructures (e.g. the steering group and other support mentioned in the quotes) and represents the practice stabilization phase (see Power, 2015) where RM is already institutionalized into operating practices of the city (Power, 2015).We categorize the empirical findings related to the perceived type and focus of RM in the central administration in our case cities.However, it is important to note that a municipality may include several sub-units, subsidiaries and operational functions with their own features running independently of central administration practices that might require separate analysis.In our case municipalities, the central administration was responsible for organizing RM issues in different functions (e.g.basic health care, education and culture, rescue services).Table 1 includes notions about the differences and similarities among the cities.For example, Cities C and G had integrated several RM practices into their governance, while, for example, in City A, RM was still being elaborated, so that RM was understood specifically and narrowly.
We agree with Power (2004) that RM can be seen as a defensive reaction in a demanding environment and that accounting input is essential in providing relevant information about strategy and risks.However, even in the public sector, the conceptualization of risk involves more aspects than the consideration of reputation or political gaming.For example, some of our case cities aimed to integrate RM issues and strategic management practices into what we might call strategic RM.Further, we agree with Vinnari and Skaerbaek (2014) that the different and still relatively un-institutionalized perceptions of RM may create uncertainty over political decisions, government regulations and audit practices.

Conclusion
This article analyzed the RM practices of seven Finnish cities. Accordingly, it contributes to the literature on RM in the public sector and municipal organizations in particular (Woods, 2009;Vinnari and Skaerbeck, 2014;Palermo, 2014).We also complement the survey-based research of Oulasvirta and Anttiroiko (2017).Those authors admitted their model did "not provide sufficient explanation of the diffusion of comprehensive risk management in local government [and] we may assume that particular case-specific features play a key role in the process" (p.468).Considering the variation in local activities (see, e.g.ter Bogt and Scapens, 2019), this study found several development phases and RM tools in use.Our empirical material indicates that cities adopt a range of different approaches to RM.Some of the cities considered reputational risk, some integrated opportunity analysis into RM, while others considered it purely in economic terms.
Our field analysis revealed variations in RM practices and the associated rationale.Our analysis focused particularly on how the differences between municipalities and RM practices affect the local application of the Finnish Municipality Act, including its requirements for RM and internal control.Our field research shows that RM has multiple conditions of possibility (see Camic and Gross, 1998, e.g.historical developments or events, and the subsequent paths chosen), which drive change at the local and field levels through the adoption of different activities and their possible routinization.These are reflected in the different phases of RM in the case cities.While object formation took place at the field level through the new municipal act, we illustrate how phases of RM varied locally in the case cities; RM started in some cities through activity orchestration, while in others it advanced starting from object elaboration in various ways (e.g.ethics based guidelines or Municipal risk management audit guidelines).Through feedback from organizational activities, municipal RM was specified through reciprocal and continuous elaboration and orchestration of activities.We illustrate how changes in rules and routines at the local level may result in new paths for routinization (ter Bogt and Scapens, 2019) and ultimately institutionalization of RM practices.
This study contributes to the work of Power (2015) by applying and showing the reciprocity and the interplay among local and field levels of the phases in the emergence of new accounting forms framework in a municipal RM context.This study critically investigates the emergence of the form and content of risk, the focus of RM activities in seven case cities, RM development phases and how the phases are implemented.This increases our understanding of RM developments and thus helps to open the "black box" of RM evolution and diffusion as called for by Bracci et al. (2021).In particular, we note that object elaboration does not always start from the policy or field level but can also stem from local events and developments.Moreover, in the context of municipal RM, we offer evidence of multiple possible development directions and feedback possibilities, and also reciprocity between the object elaboration and activity orchestration phases.We found differences in RM emergence between case cities (see Table 1).We analyzed the maturity of RM practices against the phases of emergence (Power, 2015) and identified various performance measurement tools and practices in use while investigating RM infrastructure in Finnish cities.We agree with Bracci et al. (2022) that the work of key actors, e.g.collaboration between controllers and risk experts can be important.However, we contribute to this by highlighting also the local risk events, i.e. typically drastic events that affect the common perception of risk (specifying the case-specific features mentioned by Oulasvirta and Anttiroiko, 2017).Further, the management tools (both performance measurement and RM tools, especially if used in an integrated way, see also Bracci et al., 2022) were important in our comparative setting in focusing operations.
The findings of this study have two practical implications.First, an analysis of RM practices and their phases of emergence (see Table 1) can unveil the current state of RM practices of whole municipality organizations or different functions within a municipality.The findings suggest that even within the same municipality, different fields of operations can be at different maturity levels regarding RM.Second, we identified differences in the extent to which RM was consulted by internal audit.Internal audit function used a variety of audit tools such as the COSO ERM model to facilitate risk analyses.RM was in some cities integrated into strategic management work.We suggest that integrating RM into strategic management practice allows the use of strategic management accounting tools in addition to audit models.This offers an even more impactful route to establishing RM in the public sector.
Finally, we suggest avenues for future research.We encourage studying the beginning of new accounting-related practices, where for example the formation of new groups of risk experts in the public, private or third sector might merit further investigation.Further, the integration of internal audit, RM, strategic management and the strategic management accounting tools may give birth to a hybrid expertise, which would warrant further research.