12 Enterprise Risk Management and the Organization of Uncertainty in Financial Institutions

MICHAEL POWER

Introduction

ERM and the Risk-Based Concept of Corporate Control

ERM and the Control-Based Concept of Risk Management

ERM as World Culture?

ERM and the Moral Economy of Financial Organizations

Conclusions: ERM and the Organization of Uncertainty

Introduction

Since the mid-1990s, enterprise risk management (ERM) has emerged as a set of ideas for rethinking the organization of risk management activities. There has been a conspicuous growth of normative and technical texts on the subject of ERM (e.g. Barton, Shenkir, and Walker 2001; Walker, Shenkir, and Barton 2002; Lam 2003), which is also characterized by related motifs of ‘holistic’, ‘integrated’ (AIRMIC 1999; Doherty 2000), and ‘strategic’ risk management. The discourse of ERM, although still aspirational, is gaining ground in leading financial organizations. ERM is the subject of multiple projects of codification and standardization, and is becoming constitutive of regulatory principles and practice.

Why has this happened? In this chapter, I argue that the rise of ERM can be traced to two convergent but different pressures for change in the concept of corporate control. First, ERM is a further mutation of the ‘shareholder value’ conception of the firm (Zorn et al., Chapter 13, this volume), one which involves an increasing technical and institutional focus on the risk measurement dimension of the risk-return relation underlying shareholder value. Value at risk (VAR) measurement technologies are at the very center of a project to know and calculate risk-based ‘economic capital’. This strand of ERM posits a risk-based conception of the firm, which is most conspicuous for financial organizations and where a new intraorganizational politics is visible in the rise of the chief risk officer (CRO) (Oliver Wyman & Company 2002; Power forthcoming).

The second source of ERM thinking emerges from the corporate govern­ance revolution of the early 1990s and from the increasing focus on, and formalization of, internal control as the bedrock of the ‘good organization’. During the 1990s the idea of good internal control became explicitly informed and codified by concepts of risk, shaping a control-based concept of risk management focused more on organization design and process issues than on risk measurement. I argue that this source of ERM thinking is characterized by a control-based model of risk management. Both sources of ERM thinking are fundamental to the project of ‘enforced self-regulation’ (Ayres and Braithwaite 1992) inherent in the Basel 2 proposals for banking regulation and both serve to ‘format’ (Callon 1998) a new ‘moral economy’ of financial organizations.

Taken together, these two sources of ERM thinking express the win-win rhetoric of the ‘new risk management’ (Power 2000b), in which ideals of maximizing shareholder value can be reconciled to societal goals for good corporate governance and orderly capital markets. This ERM model promises a reconciliation of external demands for legitimate governance with functional demands for the efficient allocation of scarce capital. In this respect, ERM functions as a ‘boundary object’ spanning different interests and communities of practice.

There are a number of different definitions of ERM and the purpose of this chapter is not to police any specific understanding of the meaning and scope of the ERM concept. Rather, the intention is to examine the ERM model with a view to understanding its origins and logic. That said, a useful starting point is the following recent definition of ERM as: ‘a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives’ (COSO 2003: 3).

From this strategic point of view, ERM demands the identification of all collective risks that affect company value as a whole and a key claimed benefit is the diversification benefits of a comprehensive view of risk, which have been traditionally managed separately. Functional claims for ERM in financial organizations relate to improved recognition of natural hedges and unanticipated correlations across risk categories (Rouyer 2002). In the non- financial sector, it is argued that ERM led initially to a rationalization of insurance strategies and the reduction of premium costs via multirisk policies (e.g. for the case of Honeywell, see Meulbroek 2002b: 58).¹

For many years, lone pioneers and critics of risk-management practice bemoaned its balkanization, its insurance-based preoccupation with risk as a negative to be avoided and its bias toward the measurable (Kloman 1976, 1992). Now the aspiration has changed: risk management is to be regarded as a high-level practice of strategic significance of the firm embodying assessment and management techniques which address the whole range of risks facing the entity, particularly in recognition that some of the most important business risk effects, for example on reputation, have no ready markets for risk transfer or diversification and must be managed directly in the name of shareholder value.

This powerful functional ‘storyline’ (Hajer 1995) for the reorganization of uncertainty by ERM has different strands and elements, and the argument below is organized as follows: the next section deals with the finance-based conception of ERM and the search for a measurement basis for economic capital for organizational control purposes. The second section outlines the other main ERM thematic focused on organizational design and control systems. The third section explores the idea of ERM as a ‘world model’ and the fourth section reflects on the ‘moral economy’ of organizations, as pro­jected by the idea of ERM as a regulatory system.


The author is grateful for the comments of Karin Knorr Cetina, Aaron Pitluck, and Alex Preda on earlier versions of this chapter. The financial support of the UK Economic and Social Research Council is also gratefully acknowledged.

ERM and the Risk-Based Concept of Corporate Control

Integrated Risk Management involves the identification and assessment of the collective risks that affect firm value and the implementation of a firm- wide strategy to manage those risks (Meulbroek 2002a: 56).

In 1998 Chase Manhattan Corporation became concerned that its assets were growing too fast and that its sales force was not making an appropriate trade off between risk and reward in developing new business.² In particular, traders were not relating their new business to the capital required to support it. Consequently, the bank decided to introduce the practice of ‘Shareholder value-added’ (SVA), a technique by which the profit of any business unit within the bank would be charged for capital, a variant of residual income methods for divisional control purposes. Thus, the ‘free’ cash flow that supports shareholder value was reconceptualized as ‘free’ only after charging units for the portion of risk capital they required the business as a whole to keep in reserve. The capital base on which such charges were computed was an allocated portion of the firm level risk, and this was calculated by two principal methods: VAR and stress testing.

The VAR has many different definitions and can be operationalized in a number of ways but the intention is to provide a measure of the potential financial loss from adverse market movements. According to Jorion (2001a,b), VAR is a simple integrating technology at the heart of the ERM model. It provides a common financial measurement framework for the whole firm, which simultaneously provides a calculation of ‘economic capital’, under­stood both as capital at risk and as a buffer for shocks. As a quantification of enterprise risk exposure over a period of time subject to a confidence level, the results of VAR modeling are relatively easily understood and visualizable for senior management.

First steps in the public standardization of whole firm VAR can be traced to J. P. Morgan’s publication of RiskMetrics in 1993 and numerous applied textbooks have been published since then. However, the importance of the rise of VAR as a measurement technology for risk management lies as much in the idea as in the detailed practice. In reality, VAR techniques are heavily dependent on the availability of high-volume data sets and have developed most rapidly in the domain of ‘market risk’, that is, a category defined to capture the risk to the value of portfolios of assets arising from changes in market values. The techniques have been extended to the field of credit or default risk and are, at best, problematically and controversially applied in the more ambivalent category of operational risk.³

Notwithstanding this variation in specific applications, VAR is significant as an aspiration to measure capital at risk for the whole firm, across all categories of activity and to allocate that capital to individual business units. It is a vision in which capital for regulatory purposes is aligned with organ­izational control technologies like the SVA techniques at Chase Manhattan. But the idea of economic capital is itself far from unproblematic or uncon­tested. The accounting concept of share capital plus reserves is a traditional buffer concept, which is challenged by VAR. From this point of view it can be plausibly argued that VAR techniques ‘perform’ economic capital (MacKenzie forthcoming) in the sense that we do not have a clear concept of it, which is measurement independent. Furthermore, the fiction of VAR- based calculations of economic capital have real consequences as they are accepted by organizational agents. Two classes of agents matter in this respect: traders within the financial organization and regulators.

Getting traders in financial firms to accept VAR-based or other determi­nations of economic capital is the behavioral challenge of ERM. In practice, ERM only supports capital attribution to business units if these units actually accept its legitimacy: a fiction can only have real implications if it is accepted as real. It is clear from an extensive practitioner literature that these representations of capital at risk, even down to the level of individual transactions, can be highly adversarial within organizations. Consequently, normative commentaries continually emphasize the social support for meas­urement practices, namely the role of senior management buy-in, cultural commitment, and the need for champions of change (e.g. Cumming and Hirtle 2001; Sullivan 2001; Nash, Nakada, and Johnston 2002). VAR-based calculations of economic capital and related Risk Adjusted Return on Capital (RAROC) measures are institutional myths, in the sense that they are only effective if widely believed.

Getting regulators to accept ERM and VAR has also been an important dimension of its institutionalization. There has been increasing conceptual convergence between regulatory management of economic capital and internal business models. Banks have been permitted to use their own in-house models for determining a capital cushion for market risks since 1996, and this process is being extended to a new category of diverse and difficult to measure ‘operational risks’. Although banking supervisors still constrain the use of in-house models, the changes in regulatory philosophy have been significant. The Basel Committee leading the reform of banking supervision (Basel Committee on Banking Supervision 2003a) is a key resource for conceptualizing ERM in financial markets and has published surveys of ‘risk aggregation’ practices, which realize the theoretical idea of ERM (see Basel Committee on Banking Supervision 2003b).

Despite specific technical difficulties of relating detailed risk-management investments to firm value, particularly in fuzzy areas like operational risk, the relation became newly thinkable in terms of VAR during the 1990s, and provided a new language for the business case for risk management. Accordingly, to Doherty (2000: 9-10), the fundamental theory of finance, in which returns on assets are always relative to risk, has made risk management a conceptually thinkable part of the corporate value creation process since the 1960s. However, though thinkable, that model had to wait until the early 1990s for diversification measurement technologies like VAR to become fully institutionalized as a calculation of risk capital.

The rise of this measurement strand of ERM is a further episode in institutionalization of the shareholder conception of the firm, driven in turn by the demands of financial markets that firms should manage their stock price. In the case of financial firms investing in other firms, the management of their own stock price is a function of how well they manage the impact of volatility in the stock prices of their investments, placing market risk management at the center of their own shareholder value strategies. ERM emerges from this double attentiveness to financial markets by financial insti­tutions, first in terms of managing their own stock price and, second, doing this to a large extent by managing the effects of market movements on their portfolios of assets. This is slightly different from the two finance conceptions of control outlined by Zorn et al. (Chapter 13, this volume), focused more on the returns or earnings component of risk-return foundations of shareholder value. ERM represents a risk-based concept of control focused on the risk quality of earnings. As we shall see below, this concept of control is regula­tory as well as managerial.

Zorn et al. (Chapter 13, this volume) argue that changes in the concept of control in organizations were a function of power struggles in organizations between management functions intent on claiming efficacy. In this respect, the most likely site of struggle in financial institutions is the challenge to the chief financial officer (CFO) by the rise of the CROs. The CRO is the organizational embodiment of ERM and the risk-based concept of control; the CRO reflects the repositioning of risk management in the management hierarchy (Lam 2000). Surveys (e.g. Conference Board of Canada 2001; Oliver Wyman & Company 2002) suggest a marked growth in the CRO role since the mid-1990s. In the case of Chase Manhattan discussed above, a risk policy committee of the main board is the organizational correlate of VAR and many organizations have similar committees headed by a new CRO role. In some cases, the CRO is subordinate to the CFO and in others they have equal and different status, one a facilitator of deals, the other a risk check on them. But while the general picture is presently unclear and demands further empirical research of the kind that Zorn and Dobbin have conducted for CFOs, the emergence of the CRO will further institutionalize the risk-based concept of control (Power forthcoming).

Where did the risk-based concept of control come from? 
To a large extent it had always been inherent or dormant in financial organizations, but there are several overlapping drivers in the 1990s. Its increasing significance is in part a rational response to volatility in financial markets and the need to manage asset growth more carefully in large financial institutions, such as we saw with Chase Manhattan. 
Second, it became institutionalized because of the organizational legitimacy and availability of a measurement technology, namely VAR, which promised a unifying, whole firm entity approach aligned with the whole firm philosophy of shareholder value. 
Third, it promised a new basis of divisional control of disparate units in financial organizations by determining risk-adjusted rates of return on capital for these units. 
Fourth, it provided financial organizations with a rational basis for contest­ing imposed regulatory capital requirements, resulting eventually in the regulatory recognition of in-house models for determining economic capital. 
Fifth, the technological domain of financial risk management was expanded by the increasing liquidity of markets for a broader set of financial instru­ments, extending the boundaries for risk transfer and management in fuzzy areas, such as ‘weather bonds’ (Meulbroek 2001).

To summarize: 
an important strand of ERM thinking has its origins in the project to improve control in large financial organizations. This project is epitomized by the idea and practice of VAR models which construct a concept of economic capital for two key audiences, internal traders and regulators. ERM provides a representation of economic capital supporting the interventions of senior management in the operations of divisionalized financial firms. But the idea of ERM is more than that of a measurement technology. It also projects a risk-based concept of corporate control, embodied in risk committees and in the work of CROs. In other words, ERM is not simply measurement focused; it is also about the management and con­trol of risk-measurement practices and it is to this important strand of the ERM idea that we now turn.

ERM and the Control-Based Concept of Risk Management

The second major strand of ERM is more generic in form and is visible in various attempts to codify the elements of a risk-management system. Building on the projects to codify quality management, a number of stan­dards have been produced by standard setting organizations, beginning in 1995 with a joint document by the Australian and New Zealand Standards organizations (AS/NZS 1995), followed by counterparts in Canada (CSA 1997), United Kingdom (BSI 1999), and Japan (JIS 2001).⁴ This generic risk-management thinking has been criticized, especially by those who do not see the utility of such general standards over and above specific risk- management practice, and this may explain why there is, at present, no ISO standard as such for the risk-management process, although a standard has been developed for a common risk-management terminology (ISO/IEC 2002).

Another related source of thinking for ERM has emerged explicitly from the codification of principles of internal control. Following a congressional investigation by the Treadway Commission in 1987 into fraudulent financial reporting, an internal control framework was developed (COSO 1991). This proposed a broad definition of an internal control process covering financial reporting, legal compliance and operations. Furthermore, the principles began to make explicit the connection between internal control and organ­izational risk management in its broadest sense: control processes must be designed on the basis of risk assessment and risk appetite, and their functioning must be reviewed. In the case of Chase Manhattan discussed above, the COSO framework was customized for use in the management of operational risk. Crucially, this rearticulation of internal control relates risks and controls explicitly to organizational objectives, and is part of a more general trend in the ‘strategizing’ of control functions.

The COSO in the United States, and the ‘CoCo’ framework developed by the Canadian Institute of Certified Accountants, have greatly influenced subsequent attempts to develop generic standards in the control/risk management area, not least for the Turnbull Report in the United Kingdom (ICAEW 1999) and the risk-management dimensions of the Control and Transparency Act (KonTrAG) in Germany, the latter passed in response to demands to strengthen the role of supervisory boards and requiring them to establish a monitoring system for risk identification.⁵ In the case of COSO, a standing coalition of professional associations (The American Institute of Certified Public Accountants, the Institute of Internal Auditors, Financial Executives International, the Institute of Management Accountants, and the American Accounting Association) provides oversight for specific technical projects and the internal control framework has been republished as a draft framework for ERM (COSO 2003), which echoes and subsumes the earlier conceptual framework (COSO 2003: 18). This means that ERM is to be a standard for the design of internal control systems.

This strand of ERM represents a control-based concept of risk management and its key elements are clearly visible in the definition given earlier: risk man­agement is related in ambition to entity objectives, to the production of value and thereby to organizational strategy; it is defined as a process requiring senior management direction and extending across the whole organization; it heralds a new organizational consciousness of ‘risk appetite’, and assurance. The document also represents a clear discourse of responsibilization: people must know their responsibilities and the limits of their authority. This linking of duties to entity objectives expresses a new ‘moral order’ to be discussed further below, as well as a strategizing aspiration for advisory markets. The auditing, control, and assurance conceptual heritage remains visible in the requirement to provide assurance that, inter alia, reporting and legal compli­ance objectives are achieved.

The COSO-based model of the ERM model is based on earlier PricewaterhouseCoopers architecture (e.g. PwC/IFAC 1998) and absorbs older internal control concepts. The internal environment of control is recon­ceptualized as a risk culture, a set of shared attitudes, values, and practices that characterizes how an entity considers risk in its day to day activities. COSO (2003) codifies the elements or stages of ERM understood in this con­text as a management process or system rather than a measurement practice. The ideal elements of this process are repeatedly visible in all the manage­ment process approaches to ERM and consist of:

Event identification. 事項辨認---企業須辨認會影響目標能否達成之內部事項及外部事項，這些事項可區分風險與機會二類，管理階層應把機會導回設定策略或目標之流程中。
This reflects the intensified climate of concern during the 1990s for risk events which are not to be easily captured and understood by conventional information systems for example, rogue traders, reputational risks. Accordingly, the completeness of material risk identification, if not its precise measurement, has grown in significance as a management priority.

Risk assessment. 風險評估---企業分析風險、考量其發生之可能性及影響，並藉以決定風險應如何加以管理。風險之評估應基於固有風險及剩餘(residual)風險。
This continues the quantitative tradition of risk analysis, including VAR, but is more pluralistic and includes qualitative techniques, such as focus groups, because of the importance of risk identification.

Risk response.風險因應---管理階層選擇風險因應(規避、承受、抑減及分擔)之方式，並進行一連串行動使風險能與企業之風險容忍度(risk tolerance)及風險偏好(risk appetite)相配合。
This is the set of managerial action possibilities in terms of risk avoidance, reduction, sharing, and acceptance. Specific choices will reflect the risk appetite of organizations.

Control activities. 控制活動---所訂定用來協助保證風險因應能有效執行之政策與程序。
These are designed in the light of risk responses and reposition longstanding control activities, such as segregation of duties, arith­metic and accuracy checks, and authority controls within the ERM process.

Information and communication flows. 資訊與溝通---攸關之資訊在一定的形式和期限內，予以辨認、蒐集並溝通，以確保相關人員能夠履行其職責。有效溝通之觀念比較廣泛，包括企業由上而下，由下而上，以及相互之間橫向的溝通。
These are regarded as an essen­tial feature of ERM, must be appropriate to the expectations of groups and individuals and must address the problem of cross-functional lateral communication.

Monitoring. 監控---對企業風險管理進行全面監控，必要時加以修正。監控可以藉由持續的管理活動、個別評價或者兩者結合來完成。
As with COSO (1991) the ERM structure requires the ability to observe itself via periodic evaluation, by the internal and external audit functions and/or by the CRO.

This ideal ERM blueprint also acknowledges the limitations of control systems (collusion, ability to override) and emphasizes the roles and respon­sibilities of the various organizational agents who must realize ERM: the board, executive management who set the tone of an organization, the CFOs, CROs, and internal auditors. Possible conflicts and competition among these different agents are subordinated to the programmatic idea that ERM is the responsibility of all of them collectively.

From this generic point of view, ERM represents risk management as an organizational process. As in the case of financial institutions, there is a claim that risk-based control activities are value enhancing, but without the emphasis on a measurement technology such as VAR. Great emphasis is placed on senior management and the top-down ownership of the risk-control process. This emphasis grew out of the wave of corporate governance initiatives in the 1990s. Largely scandal driven, corporate governance thinking in different countries increasingly emphasizes internal organizational structures and processes. Boards of executive and nonexecutive directors, audit committees, internal and external auditors have all been subject to greater formalization of their roles, largely by voluntary codes of conduct but more recently in statutory form, with the Sarbanes-Oxley legislation in the United States. At the very center of these governance preoccupations is the nature of the inter­nal control system and its management, which over time has been increasingly articulated in terms of risk (Power 2000a). For this strand of ERM internal control, risk management, and ‘good’ governance are almost coextensive.

There are of course differences and variations among the ERM standards mentioned above. Those emerging from national and international standard-setting organizations tend to have a strong project management flavor and there are important differences between the COSO and CoCo frameworks. But for the purposes of the present argument the similarities are more striking and significant.⁶
First, risk is defined broadly in terms of both opportunity and harm, an essential strategy for reconceptualizing the value enhancing dimension of control activities and consistent with finance conceptions of risk as variance. 
Second, great emphasis is placed on risk communication rather than on specific measurement techniques, which may be diverse. In particular, communication with a wide range of stakeholders is countenanced, signaling greater sensitivity to the variations in risk percep­tions of groups external to the enterprise. This is a critical extension of the risk-management field of vision and will be discussed further below. 
Third, ERM is part of a responsibility allocation process, which establishes risk accountability and authority; here the parallels with quality ownership are evident. 
Fourth, the system and process approach emphasizes documentation and auditability (Power 1999).

To summarize: COSO (2003) and other similar risk-management standards exemplify a generic control-based tradition of ERM thinking which is different in emphasis from that which has emerged from the financial risk-management practices of financial institutions. It is process- rather than measurement-based, and grows out of the varied discourses of corporate governance reform in the 1990s and their preoccupation with internal controls. This tradition is less concerned with internal management problems of divisional control and more with the integrity of senior management process. And although the control-based concept of risk management is also very much shareholder value focused, there is also another emphasis on stake­holder communication which places ERM in a potentially larger normative framework. With this in mind, we need to take a more critical look at ERM.

ERM as World Culture?

ERM should not be presumed to be a self-evident and coherent set of ideas and blueprints for practice. It has been argued above that ERM ideas have emerged from two main conceptual frames for measuring economic capital and for organizational control processes, respectively. From this point of view, ERM is a reassembly of ideas, old knowledge perhaps (Deragon 2000), which has been subject to various attempts at codification. Although ideas about ERM clearly predate the development of standards and textbooks on the subject (e.g. Kloman 1976, 1992; Haines 1992), something distinctive takes place from about 1995 onward. Standardization projects for ERM are to be found at many levels, ranging from obvious standards issued by standard setting institutions to textbooks and commentaries. Even certain individuals can acquire the status of de facto codifier (e.g. Lam 2003).

Although the different elements of ERM thinking and conceptualization suggest a tension between a first-order emphasis on rational risk measure­ment and a second-order emphasis on the management of that risk measure­ment process, it can be suggested following Meyer et al. (1997) that ERM has all the apparent hallmarks of an emerging world cultural model. To unpack this argument, we can begin by considering practitioner surveys of ERM practice. Such surveys should not necessarily be taken at face value in terms of their analysis of degrees of implementation: they also constitute and per­form the interorganizational world of ERM. Tillinghast Towers Perrin (2001,

2001)  provides an example of an insurance industry survey, which not only describes practice, but also promotes the emergent discipline of ERM on the basis of its partial realization. Surveys like this typically conclude that indus­try is making progress (ninety-four companies, 49% of the sample, claim to have ERM and 38% are considering it, with the CRO role on the rise).

In terms of the operational reality of ERM, this survey suggests the continuing existence of barriers to a broad risk vision within insurance com­panies, with a strong cultural bias to existing ways of working. For example, ‘overall the positive correlation between which risks are covered by ERM and satisfaction with the tools to manage those risks... suggests that risks may be included in an ERM program based on their ease of quantification more than their degree of importance’ (Tillinghast Towers Perrin 2003: 6-7). With the exception of Canadian insurers, the general picture is one of a robust actuarial culture defining ERM to suit its own terms. This suggests that the concrete realization of the ideal elements of ERM is partial and subject to microcultural forms of resistance, such as intraorganizational turf wars and, in particular, the tension between the measurement and management facets of ERM identified above.

This decoupling between ERM claims and reality may be bemoaned at the level of practitioner surveys like this, but is not surprising. It should not blind us to the properties of ERM as an organizationally transcendent model with claims to universal applicability and with developed claims to functionality rooted in the shareholder value model. According to Meyer et al. (1997: 156), ‘these models are organized as cultural principles and visions not strongly anchored in local circumstance’. The unreality of ERM principles, as embod­ied in the various codifications and texts described above, is also their strength as myths of control which serve to organize organizations.

To follow the thought experiment posited by Meyer et al. (1997), if we were to imagine the creation of a new banking organization, we know that it could not be founded without rapidly adopting the mission and principles of ERM, and would very quickly appoint a CRO and a whole host of other elements comprising the legitimated organizational actorhood of being a bank. In the 1980s and 1990s, the ideas of audit and of ‘new public management’ emerged as cultural models which could be made to look self-evidently functional and whose legitimacy was relatively immune to microcultural problems of implementation. From this point of view, ERM is the latest in a long line of world level (i.e. non-nation state level), organizational blueprints for the organization of uncertainty, and a new product in the market for advice which is increasingly legitimate via its codification in standards.

On this view, ERM is a product of ‘world cultural forces’, specifically organ­izations who can claim legitimacy as actors in the creation of collective goods and broad meaning systems (Meyer et al. 1997). We have already met these actors above: Chase Manhattan, J. P. Morgan, and other large banks; COSO and PricewaterhouseCoopers; national and international standards organiza­tions; the Basel Committee on Banking Regulation; legitimized human actors, such as academics and practitioner commentators. It is important to note that not all so-called ‘global’ corporations are world actors in this sense; many do not actively participate in the creation of collective meaning systems, although as their operations are written up and disseminated as case studies by business academics and consultants, they may unintentionally come to play this role.

In picking our way through these actors, we can distinguish the two main sources of ERM thinking again. 
First, the risk-based concept of control derives from the position of financial economics as an increasingly powerful world cultural force, in general terms as a model of the firm (Whitley 1986) but also with a specific mandate to increase its scope via the financialization of all elements of risk management. 
Second, the control-based concept of risk management is built in part upon the older audit model, supplemented by a range of ideas to do with systems and communication. This suggests that ERM can be usefully imagined as a ‘boundary object’ at the world level which inhabits ‘several communities of practice and satisf[ies] the informational requirements of each of them. Boundary objects are both plastic enough to adapt to local needs and constraints, yet robust enough to maintain a common identity across sites’ (Bowker and Star 1999: 297).

To summarize: ERM can be understood as a world level boundary object which has emerged from a private market for risk-management norms and related discourses. A long-standing dissatisfaction with the insurance-based concept risk management (Kloman 1992; Dickinson 2001) was redeveloped in relation to a powerfully legitimate measurement technology on the one hand, namely VAR, and to a range of established ideas about management systems and processes on the other. ERM did not emerge from legislative or regulatory processes, although it has informed them as we shall see. However, whether ERM is a ‘true’ world model remains an open question. Some critics argue that continuing organizational barriers to the full implementation of ERM will diminish its legitimacy over time, reducing it to the status of mere fad (Banham 1999; Deragon 2000). These difficulties may feed back and be registered at the world level, namely the global conference circuit, the practice survey, consulting templates, handbooks of best practice, and world level standard setting bodies. Against this, we should expect at least some durability to the idea, irrespective of apparent specific failures. And part of that durability has little to do with the mechanics of risk management; it has more to do with ERM as a value system which appeals across different groups. As a boundary object, the ERM model importantly blurs the dis­tinction between projects of risk measurement, organization, and regulation (Morgan and Engwall 1999), and posits a new normative order. It is to this that we now turn.

ERM and the Moral Economy of Financial Organizations

The above discussion has focused on ERM as a model of organizational control. In this section, we consider its properties as a model of regulation or, more accurately, ‘enforced self-regulation’ (Ayres and Braithwaite 1992). First, ERM is a blueprint for regulatory regimes themselves and for financial regulators seeking to manage their own operating and political risk. Thus, elements of ERM are to be found in the policy thinking of the United Kingdom Financial Services Authority (2000) and elsewhere. Here, the legitimacy of ERM as a world model is evident as regulatory organizations are subject to isomorphic pressures to become, at least at the level of mission and purpose, more like the organizations they regulate. Notwithstanding the evident empirical operating variety of regulatory regimes (Hood, Rothstein, and Baldwin 2000), ERM is an increasingly legitimate template for such regimes, specifically what is now called the risk-based model of regulation. From this point of view states and state agencies are adopters of world cultural elements like ERM. ERM ideas have an important position in the KonTrAG in Germany and in the recent Sarbanes-Oxley Act in the United States. And organizations like the World Bank have also begun to adopt ERM to structure their own working processes.

Second, the emergence of ERM makes a certain regulatory style possible, one that increasingly relies on the self-organizing resources of banking organizations and which monitors the quality of local risk-management systems. From this point of view, the ‘auditability’ and responsibility elements of ERM are critical in enabling regulatory oversight of essentially private processes, and the technology of VAR provides a common technical language of exchange between banks and regulators. Regulatory pressures have grown for ERM models to be introduced in financial institutions, such as the Office of the Superintendent of Financial Institutions (Canada), the Prudential Regulation Authority in Australia (where the HIH Insurance scandal has had a huge impact). More generally, the Basel 2 proposals also embody ERM ideas; pillar one corresponds to the risk-measurement ambi­tion and pillar 2 corresponds to the control and communication emphasis (Basel Committee on Banking Supervision 2003a). From this point of view, world level norms are being relegalized at the level of regulatory policy. Indeed, Australia Standards acknowledges that failure to establish and main­tain a proper risk-management program may be evidence that an organization is negligent.⁷ In short, we can expect that national legal systems will reinforce the legitimacy of the ERM model.

In order for ERM models to fulfill this regulatory vision, they need to promote a new internal moral community in financial institutions. Ideals of integration and related internal responsibilities for risk envisage the construction of a normative operating climate in which risk is defined and, crucially, allocated to organizational agents. Historically, risk management in diverse areas, such as health and safety, internal control, insurance were decoupled from corporate policy and objectives (a matter for critical com­mentary by farsighted individuals) and managed on a fragmented basis. The ERM model recasts risk management explicitly in terms of organizational objectives, transforming risk management from a specialist control side-show to a (shareholder) value enhancing activity. This programmatic ‘strategizing’ of risk management, raising the profile of long-standing elements (e.g. con­trol and risk assessment techniques), and repositioning them in the fabric of management knowledge, simultaneously represents a new ‘moral economy’ of the organization. This moral economy is governed by newly powerful actors, namely risk and audit committees and risk officers concerned with new objects, such as corporate reputation (Power 2003).

The sense of ‘moral economy’ should not be taken normatively to mean that organizations become ‘moral’ in some first-order sense. The intention of the concept is to highlight the normative structure of the ERM model, in par­ticular the internal responsibility structures that banks like Chase Manhattan established in relation to risk management. However, there is also a larger sense in which ERM can be said to constitute a new moral economy, namely in the expanded role of risk management in processing social and environ­mental issues at the level of the organization. In short, historically visible anxieties and pressures for the democratization of risk analysis (e.g. Jasanoff 1999) are reworked and reframed by ERM as issues in the design of internal control and management systems, precisely the ‘remanagerialization of risk’ envisaged by Beck (1992).

The ERM world model translates potential public policy issues into mat­ters of organizational process (rather than scientific expertise) at the enter­prise level. Thus, the social and environmental externalities of financial and other organizations are reworked and internalized as matters of ‘reputational risk management’ (Power 2003). Reputation management as a component of ERM is arguably the organizational privatization of public policy. In particular, regulatory organizations begin to manage their own reputational and political risk in priority to their direct systemic obligations. For example, in the case of the World Bank, ERM functions to manage the risk to the Bank of not fulfilling its mission, rather than the risk to developing countries directly. The latter is reframed and internalized by ERM relative to the entity that is the World Bank organization. How this risk translation process might impact on the continuing legitimacy of the ERM model is an open question.

Another dimension of the moral economy of ERM is its role in providing the actors of corporate governance, namely boards, audit committees, internal and external auditors, a mediating semi-technical language through which to evaluate and monitor organizational process without becoming embroiled in technical risk analysis. Even VAR has the attraction of being relatively easily understood. This enfranchisement of nonexperts, with monitoring capacity within organizations is a critical feature of ERM as a template for good governance and appears to address the ‘rogue’ expert problem. Thus the ERM model restructures organizational handling of uncertainty with a greater accent on risk communication and dialog about a broader range of risk objects. Compared to older conceptions of financial risk analysis, ERM is much more democratic, at least at the organizational level.

To summarize: the ERM model repositions risk management within a new internal moral economy of the enterprise. This moral economy can be characterized in terms of heightened internal responsibilities for risk and its management, much in the manner of ‘quality ownership’, but it also has an external dimension in so far as ERM explicitly processes wider social, economic, and environmental problems at the enterprise level. This still leaves us with a puzzle about the moral economy of ERM which is both more open and responsive to these external issues than previous risk-management thinking, but which is also closed in so far as the operating premise is the rather old fashioned, pre-network idea of the discrete firm entity.

Conclusions: ERM and the Organization of Uncertainty

Organizations have always been centrally, even definitionally, concerned with the management of uncertainty and the coordination of resources to create forms of order for identifying risk and making decisions (March and

Simon 1958). ERM can be regarded as yet another in a long line of programmatic technologies for rethinking the relationship between manage­ment, as the production of order, and uncertainty. Ideas about integrated, holistic, and enterprise-based risk management have existed for many years, in part as a discourse of dissatisfaction with narrow insurance based views of the subject. Since 1995, these ideas have found an institutional voice in the form of specific standards and guidelines on generic risk management, in supporting texts and commentaries, and in an increasing regulatory emphasis on organizational risk management. ERM in this sense has been transformed from the preoccupation of a small number of critical observers and pioneers, into something programmatic and operationally significant. As a potential world model, ERM has acquired the quality of a self-evident set of principles: the fundamental arguments are very well-rehearsed and, at the conceptual level, reasonably well accepted.

This chapter has argued that the ERM model has two convergent strands or currents, the risk-based model of the firm and the control-based model of risk management. Both these strands can be understood as the responses of discrete functional activities, risk-measurement and internal control, respect­ively, to the shareholder value imperative. To this end, ERM reorganizes and coordinates existing risk-management subdisciplines, a program for debalkanization (Kloman 1992), to create rational relations between risk management, control activities, organizational objectives, and strategy. These claims for functionality are fictional and unrealized to a large degree, but the ERM model as realized and legitimized in standards, texts, and now regula­tions makes it a thinkable imperative. If ERM is an illusion of control, it is also somehow one of a number of necessary illusions which constitute management practice. And as the rational reorganization of uncertainty, ERM is an ‘organizational fix’ in the same sense in which scholars of science and technology studies have used the concept of ‘technological fix’.

This chapter has been concerned primarily with the emerging logic of ERM, its formalization in standards, and its status as a world level model of good governance. It has not been concerned with empirical questions of adoption and implementation, although a few things can be sensibly antici­pated about what such studies will show, based on work in other areas. First, there can be no doubt that any implementation of ERM systems will be laden with organizational politics and negotiation, that objectives which should shape risk-management activity will become shaped by it, that traders will resist arbitrary capital charges and so on. So the official sequencing of ERM processes as represented in standards should not be assumed, and we can expect internal competition between various organizational actors, not least between the CFO and the CRO. Second, we should expect that ERM standards will become implicated in the legalization and proceduralization of organizations (Sitkin and Bies 1994), notwithstanding the enabling, innova­tory language by which ERM is promoted. As regulatory systems depend increasingly on ERM at the organizational level, this tendency is likely to be observed as ERM and good organizational governance become increasingly codefined. Third, we should expect to see an active advisory market for ERM and its customized variants, a market in which consultants seek to articulate proprietorial versions of generic principles. From this point of view, stand­ards and surveys exist in part to scare organizations into reform processes.

ERM has emerged, via standards and other texts, as an institutionalized basis for the self-observation of financial organizations based on the dual technologies of VAR and internal control. This second-order observation of operations is visible in the stated mission of the CRO role, an actor who is charged in part with providing a new basis for the self-description of man­agement. However, languages of organizational self-description, such as ERM, may change precisely because there is no enduring rational way to deal with the management of enterprise (Simon 2003) and it remains an empirical question ultimately as to whether or not the ERM model leads organizations to change their substantive rules of internal communication.

Notes

1.  The case of BP in 1992 is also similar, informed by an academic study by Neil Doherty and Clifford Smith. See Risk Management Reports, December 1999, 4-5.

2.   This case is based on Barton, Shenkir, and Walker (2001, ch. 3).

3.   The categories of market, credit, and operational risk have emerged as legitimate classifications in the organizational field. Financial institutions structure their risk management activities in terms of these categories. However, they are far from being diagnostically useful; real risk events usually straddle these categories and their departmental embodiments.

4.   It is interesting to note that in Germany the Deutsches Institut fur Normierung (DIN) notably does not have such a generic document, part of a general German tendency to focus on product and service specific standards, rather than broad management templates.

5.   This chapter does not deal with the regulation of risk reporting. It is important to note that the German Accounting Standards Board has issued an accounting standard on risk reporting.

6.   Many standards are also supported by more specific guidance and amplification. See, for example, booklets 141, 142, and 143 published by Australia Standards.

7.   See Risk Management Reports, January 2000: 5.