The risk management of
everything
MICHAEL POWER
is PD Leake Professor of
Accounting and a Director of
the ESRC Center for the
Analysis of Risk and
Regulation (CARR) at the
London School of
Economics.
([email protected]).
58 T H E RISK MANAGEMENT OF EVERYTHING
MICHAEL POWER
THE BACKGROUND
I
recently decided that there was no longer
space to store 20 years worth of
Accountancy and Accountancy Age. Prior
to disposal I reviewed all the back issues for
articles of particular note worth saving. In the
course of this process, a number of things were
striking. First, articles on financial reporting were
conspicuous in the 1980s, and in the 1990s it was
auditing which seemed to be the main object of
discussion. Second, risk and risk management
begin to receive regular exposure only from about
the mid-1990s onwards. In particular, the late
1990s reveal an increasing commentary on
practice management and risks to professional
partnerships.
This review was not a formal content
analysis and the observations are impressionistic.
However, the recent accent on risk management
by accountancy practices provides the point of
departure for this lecture.
The audit risk model, as an idea if not a
concrete practice, can be traced back to the 1980s.
In time this developed as business risk auditing
(BRA) with different firms offering proprietorial
variations on the same theme. Of particular
interest in this methodological development is the
manner in which "audit risk," originally
conceived in terms of the risks of client business
(sub-analyzed into control risk and inherent risk)
and the risks of the audit process (sub-analyzed as
sampling and non-sampling risk), came to be
understood to include the risks to the auditor
him/ herself. In short the primary risk, that the
financial statements are materially misstated, has
come to be thought of also in terms of a secondary
risk, the risk of financial and reputational losses to
auditors themselves.
Recent professional preoccupations with
practice management, quality control and client
selection processes are a further reflection of this.
Changes in the regulatory environment for the
accountancy profession, the emergence of the
corporate governance codes, new areas of work
driven by new legislation, and the liability
environment, all make the focus on secondary risk
management very understandable and rational at
the level of the individual firm or practitioner. At
the macro or systemic level there is more cause for
concern. The accountancy profession as a whole,
which has historically been granted a monopoly
over work regarded as essential to the risk
management of the corporate economy, namely
auditing, may be becoming preoccupied with
risks to itself. However, this is much more than an
accountancy-centered story of the problems
created by the liability law, as some would argue.
It is systematic, cross-functional and concerns
many other agents and agencies in society.
Indeed, society is facing a major challenge,
whereby those agencies traditionally charged with
handling (pooling, collectivizing, reporting)
primary risks on behalf of others, such as
professions, insurers and government, are
This article was originally published in Balance Sheet, Vol. 12
No. 5, pp. 19-28, ISSN 0965-7967.
VOLUME 5 NUMBER 3 2004
focusing increasingly on their own risks with a view to
avoiding responsibility, blame andfinancialpenalty.
This is the problem underlying the idea of "the risk
management of everything," namely that there is an ongoing
shift in society in the balance between primary and secondary
risk management, with a marked growth in the latter.
There is no doubt that risk talk and ideas of risk
management have become more prominent in recent years.
Specifically, since 1995, the year that Barings bank collapsed
and Shell experienced reputational damage with the disposal
of Brent Spar in the North Sea, there has been a literature and
conference explosion in the risk management area. New
journals have been created and old journals have been
renamed to include the word "risk." Numerous texts book
have been written on risk management, particularly on new
objects of concern such as "operational risk" and "reputational
risk." Regulatory changes, notably the Basel 2 proposals for
banks, have provided a further stimulus to the risk
management industry and in many organizations senior risk
positions, like chief risk officers, have been created. In the UK
public sector, central government has undertaken a major risk
management initiative and risk is becoming a basis for
challenging the quality of public services.
Over this period the quantitative expansion of risk
management has been accompanied by very important
qualitative changes, notably the alignment of risk
management with good governance agendas. In addition,
there has been much talk of the strategic benefits to
organizations resulting from more explicit risk management.
This lecture strikes a more critical tone and argues that
the rise of risk management has been characterized by an
increasing accent on risk management for defensive and
secondary risk management purposes, and that this shift in
focus may in fact pose very serious risks to society.
The argument begins in the very heartland of
accountants and auditors: internal control.
THE RISE OF INTERNAL CONTROL
Six years ago in 1998 I gave the first PD Leake lecture
on the theme of "The audit implosion: regulating risk from
the inside" which anticipated the growing importance of
internal auditors and organizational internal control systems.
Since then, the Turnbull report has become a blueprint for
thinking in the UK, expanding its influence well beyond the
intended private sector audience to become a generic
conceptual framework for internal control and risk
management. In addition, internal control has been elevated
from its lowly and private organizational position to become
VOLUME 5 NUMBER 3 2004
the basis for enterprise-wide risk management thinking, for
risk-based regulation, and for accountability and governance.
In short, internal control is now an unshakeable part of the
moral economy of organizations in which specific
responsibilities for different categories of risk are allocated.
This transformation in the status and scope of internal
control is a project of turning organizations "inside out" and
of making their risk-based internal control systems a public
and potential disclosable matter as never before. This process
has been under construction for some time. In the USA, the
COSO framework in the early 1990s provided a conceptual
framework for internal control and is now being remodeled as
an enterprise risk management template. The Sarbanes-Oxley
Act section 404 takes the public focus on internal control to
the next level. Directors of the Securities and Exchange
Commission (SEC) registrant companies will be required to
evaluate the effectiveness of internal controls relating to
financial reporting, and auditors are required to certify the
process by which directors arrive at this evaluation and to
provide an opinion on effectiveness itself. At a seminar in
Spring 2004, it was reported that the SEC expects 20 percent
of the s404 audit opinions to be qualified in some way.
Reporting on internal control effectiveness has always
been problematic, and has been discussed in the UK
throughout the 1990s since the original corporate governance
code was created. While auditors have privately developed a
basis for assessing internal controls, to determine the extent of
substantive tests, and have been active in reporting on control
issues to management, the public reporting of internal control
effectiveness has proved problematic. Effectiveness is itself
elusive and auditors remain hesitant about giving public
opinions in this and other areas because of liability concerns.
The historical tendency is for auditors to give opinions on
management processes, so the advent of s404 reporting will be
challenging and will mark a new phase in the public life of
private control.
The rise of internal control systems and their
increasingly public role can be explained by a number of
factors. First, organizations have come to recognize the self-
insurance aspects of good internal controls as a basis for
reducing and rationalizing insurance. Second, internal control
systems have become central to regulatory strategies, such as
Basel 2, concerned to work with the grain of organizations'
own systems. Third, the rise of internal control is
symptomatic of an institutionalized mode of responding to
crisis and failure by extending the formalization of reporting
and control functions. Sarbanes-Oxley is a classic example of
this as a response to Enron and other high profile failures.
More generally, we observe that a whole spectrum of difficult
THE JOURNAL OF RISK FINANCE 5 9
primary risk issues get translated into problems of
organizational control systems. These organizational
translations of risk are to be seen in the cases of BSE and farm
management systems; the Shipman murders and registration
and monitoring systems for doctors in the UK; earthquakes
and building regulation controls; terrorism and the
organization of security services.
Societies have no option but to organize in the face of
risk, and this extends the reach of internal control into every
aspect of organization life. Given the significance of
organizations for individuals (we work in them, buy goods and
services from them, send our children to school in them), the
rise of internal control is part of the risk management of
everything. However, the rise of internal control as an
unquestionable principle should also give cause for some
concern. Such systems may project ideas of controllability
which are unjustified and which may generate expectations
gaps of a new kind. Will auditor reporting on such systems in
fact improve public trust in organizations, or will it represent a
form of risk management which looks increasingly defensive
and uninformative, the managerial equivalent of political spin?
The challenge for policy makers is to understand how
the logic of secondary or reputational risk management is
beginning to percolate and pervade internal control and risk
management agendas. This is as true for the state as it is for
business.
THE STATE AS RISK MANAGER
Modern states, with welfare and social insurance
systems, have always been concerned with the management of
social risk. However, such states have only recently begun to
think of themselves explicitly in terms of risk management
ideas. In the UK, this change has been largely brought about
by a number of crises, notably BSE and the handling of the
foot and mouth crisis in the public health domain, and project
and systems failures, such as in the UK passport office. In
recent years state sector organizations have begun to import
and implement risk management ideas and blueprints from
the private sector. There is an observable "Tumbull effect" in
schools, universities, hospitals and charities, and financial and
project risk management has become an important feature of
private-public partnerships.
Two areas where the state as risk manager is most
evident are the emphasis on risk communication and the
development of explicitly risk-based regulatory systems.
60 THE RISK MANAGEMENT OF EVERYTHING
Risk communication
The significance of risk communication has been
argued for many years, but has only relatively recently begun
to surface in public policy. A critical community, including
academics, has argued for many years that in matters of public
interest, particularly health and safety, risk acceptance
decisions cannot simply be left to scientific experts. The
distributional issues involved in public risk management
demand greater democracy in the decision process and many
areas of risk knowledge are themselves so uncertain that
scientists cannot claim any unique authority. Indeed,
scientists began to find themselves on the back foot, arguing
both that they are the risk experts, but admitting that many
areas of relevant scientific knowledge are essentially
conjectural.
In this setting, where public perceptions of risk may also
be varied, it has come to be accepted that the legitimacy of
public risk management policy demands a degree of
communication and involvement with the public and with
stakeholder organizations.
Extending this line of argument, it can be claimed that
risk communication practices are in part concerned with
managing the reputation of government, a reputation which
can be said to be "at risk" where there is a gulf between public
expectations of performance and service delivery, and
perceptions of that performance. The idea of an "expectation
gap" is of course well known to accountants, but is not unique
to the problems of auditors. Such gaps can be managed with
strategies to change the performance dimension of the gap.
Alternatively, or in addition, an attempt can be made to
change the expectations dimension of the gap, i.e. to
"educate" and enfranchise relevant publics via risk
communication and participative schemes.
An important feature of risk management and this
accent on risk communication in the domain of public policy
is the management of reputational or political risk to
government. Another way of putting this is to suggest that,
while government and its agencies, such as the Department of
Health, certainly focus great efforts on first order risks to the
public associated with, say, mobile phone radiation and food
quality, there are also more conspicuous strategies to manage
reputation by avoiding the potential for blame.
One potentially important aspect of risk
communication concerns the very concept of "risk" itself
which, though subject to different definitions, implies the ex
ante possibility that things can go wrong or not turn out as
expected. This is relevant to the second public policy theme in
risk management - risk-based regulation.
VOLUME 5 NUMBER 3 2004
 Risk-based regulation
It is now well known that there has been a profound
shift in ideas about regulation in the last 20 years or so.
Regulatory systems increasingly seek to work with the grain of
organizational control practices, enlisting them in the
regulatory process and preferring to establish broad
frameworks rather than detailed rules. The Company Law
review in the UK has this ambition. This approach has the
merit of being efficient and cost-effective and gives regulatory
processes a legitimacy that an older command and control
style may have lacked. Organizational internal control systems
are an essential feature of this style of regulation, its mirror
image at the organization level.
States have created a number of distinct agencies to
regulate specific functional areas. In the UK the Financial
Services Authority (FSA), The Food Standards Agency, the
Health and Safety Executive, and the Healthcare Commission
are examples, and there are many others. Indeed, the growth
of such agencies, particularly in the wake of the privatization
of many utilities, is said to characterize the UK "regulatory
state."
Some of these agencies have recently become more
explicit about having a risk-based approach to regulation. The
principle is that an ongoing risk assessment of regulated
entities will enable resources to be directed to areas where they
are most relevant and where risks are deemed to be higher.
Organizations with risk management and control systems
regarded as effective, i.e. those whose process of self-control
are good, can be regarded as low risk and subject to a
moderated regime of inspection and enquiry. The operating
philosophy of the UK FSA clearly reflects this. Risk-based
regulation also provides the basis for a common language
between regulator and regulated, even to the extent that the
two become more similar in their formal structure
("isomorphism").
Some regulators are making increasingly explicit claims
that risk-based regulation means that regulation is not an
insurance process, that things can go wrong and that such
agencies cannot be a priori responsible for every possible
failure. Being public about this meaning of risk is a kind of
reputation management strategy, an effort to displace an
apparent public expectation of zero-failure, exacerbated by
political discourses of zero-tolerance.
Here the politics of risk becomes complicated. On the
one hand events like the demise of Equitable Life might be
regarded as tolerable from a statistical or systemic point of
view, but is experienced by large numbers of people as
catastrophic. So whatever ex ante risk-based communicative
VOLUME 5 NUMBER 3 2004
strategy is adopted for reputation management purposes, ex
post it will remain difficult to control public responses because
crises are distributional and impact on some people more than
others. Despite this, reputation management has emerged as
an ambition to control such public responses.
REPUTATIONAL RISK
Today, most business people, when asked about the risk
which worries them most, will often mention reputation. Yet
the idea and practice of reputation management is itself very
young, created in the wake of Shell's experience of attempting
to dispose of Brent Spar in the North Sea in 1995. In an
orchestrated campaign against the company, stations were
boycotted, particularly in Germany, and there was resulting
economic loss. In response the company undertook a
sweeping internal review. Sea-based disposal of the old unit
was calculated to be the least environmental harmful option,
but Shell had failed to communicate this to the public and to
relevant interest groups.
An example closer to the home of accountants concerns
the demise of the firm Andersen. The lesson seems to be that
the actions of a few employees can bring down an entire
organization via a "multiplier" effect - markets can interpret
the actions of the few as a signal about the culture of the
whole. The event certainly galvanized reputation management
thinking within the accountancy profession. Specifically, the
client acceptance and retention decision, assessment of the
"tone at the top" of clients, and the risk management of
accountancy firms themselves have all received considerable
attention in recent years.
From an accounting point of view, reputational risk
turns the concept of materiality upside down. Traditionally,
but not exclusively, thought of in terms of financial
magnitude, reputation means that even apparently small
events or losses, such as a minor regulatory fine, can have
larger repercussions. Much depends on how and whether
certain events are amplified or not by wider social processes,
not least the media and legal systems. And these amplification
processes are not normally under the control of most
organizations. This means that reputation risk reflects a new
sense of vulnerability, a dread factor for senior managers as
well as politicians, and has created new demands to make
reputation "manageable."
While organizations can do much themselves to
mitigate these secondary or reputational risks, they remain
hostage to the institutional environment in which they
operate. Effort is being expended on external stakeholder and
relationship management, including the development of
THE JOURNAL OF RISK FINANCE 61
strategic partnerships. From this point of view, the current
interest in corporate social responsibility (CSR) can be argued
to be a defensive strategy; CSR is simply subsumed within
reputation risk management.
If everything can potentially threaten reputation, then
reputation risk demands the management of everything.
EXPLAINING THE RISK MANAGEMENT OF
EVERYTHING
To summarize the argument so far, there has been an
explosion of risk management practices since the mid-1990s
across a wide variety of organizational contexts. Internal
control has emerged from being a private matter to being at
the heart of organizational governance; internal control and
risk management have become increasingly co-defined; the
UK state has begun to think explicitly of its risk management
role and risk-based regulatory organizations are more
prominent; categories such as "reputation" have emerged to
characterize a newly visible kind of threat to organizations. In
short, risk management seems to be everywhere.
Why has this happened?
The common sense answer is that the rise of risk
management is simply an efficient response to the fact that the
world has become more risky and dangerous. The sociologist
Ulrich Beck, author of Risk Society, is often attributed with
this view (a little unfairly). However, it is more accurate to say
that while the world of developed economies is now much
safer from natural dangers, it has generated a number of man-
made risks as side effects of progress. Many societies are more
conscious that these issues demand organizational control,
intervention and management. Expectations have increased
because, as Beck rightly argues, processes of individualization
in modem societies have also increased, creating more
demanding contexts in which all organizations now operate.
These social environments are sometimes described in terms
of "compensation" or "blame" cultures, but they are also
environments which simply demand more decisions in more
areas of life.
Accordingly, risk management and the wider
"Turnbullization" of UK organizational life is primarily a
defensive response to a more activist and demanding
organizational environment of consumers and stakeholders.
The risk management of everything may well reflect increased
attention to primary risks to health, financial and physical, but
it is also characterized to a very large extent by secondary risk
management of reputation.
62 THE RISK MANAGEMENT OF EVERYTHING
Of course, it can be argued that the distinction between
primary and secondary risk is artificial for organizations whose
assets are largely intangible and reputational. The primary risk
is identical to the secondary risk. So the rise of reputational
risk management is simply a product of the emergence of the
"new economy" and the need to manage intangibles. And for
brand rich organizations, it is completely rational to manage
reputation. Nevertheless, secondary risk management remains
an issue for individual organizational actors for whom the
costs of blame are perceived as high. The risk management of
everything involves everyone becoming a risk manager.
We should be very concerned about a society and its
constitutive organizations (professional bodies, corporations,
universities and hospitals, etc.) when they expend increasing
resources on defending themselves. The consequences of an
obsession with secondary risk manage-ment are potentially
very serious.
THE RISKS OF RISK MANAGEMENT
Claims for the benefits of risk management are
numerous. In financial services organizations, risk
management has enabled a new focus on asset and earnings
quality. In the corporate sector more generally, risk
management has become perceived as integral to business
strategy and to value creation. Risk management has been
shifted from a back-office, transaction-veto defensive role into
a fundamental part of the business model. Risk officers and
chief risk officers have been created as champions of risk
management, seeking to embed the risk management gospel
within a broader organizational culture. In the public sector,
risk management is becoming part of the way organizations
challenge themselves in the absence of market mechanisms.
And in all these settings it is widely accepted that the managed
taking of risks is essential to progress and the creation of value
- with the exception of extreme enthusiasts for the
precautionary principle.
Notwithstanding these claims, for which there is
considerable support, time may show that risk management is
more like the latest management fad than a timeless panacea.
And there is a darker side to these developments than is often
apparent.
Legalization and hyper-internal control
The accountancy trade press regularly reports
practitioner concerns about the costs of compliance with
corporate governance initiatives. The Sarbanes-Oxley
legislation seems to have taken these concerns to a new a level,
but compliance with International Accounting Standards, the
VOLUME 5 NUMBER 3 2004
proposed review of the Tumbull guidance, recent FSA
proposals for reporting on corporate governance and the
impending regulation of the Operating and Financial Review
(OFR), not to mention Basel 2 for the banking sector, add to
the weight of opinion about the corporate regulatory
overload.
There are genuine economic risks of the internal control
and risk management explosion. Getting the cost to benefit
ratio wrong of such initiatives means that they will be far from
economically efficient, even if they satisfy political demands
for action. While such a regulatory evaluation is important,
some effects of risk management are not only hard to quantify,
but require in the first instance adequate conceptualization.
The growth of risk management out of internal control
involves an intensified focus on process, and on auditable
trails of documentation. This creates a certain internally
legalized organizational environment. Legalization does not
mean the law literally but the process by which a distinctive
style of rule making pervades organizational life. From this
point of view, the formal difference between laws, voluntary
codes and in-house procedures matter very little; what matters
is their effects. Indeed, it can be argued that many
organizations, and perhaps accounting firms too, internally
amplify imagined legal risks with internal processes which
systematically build in forms of caution, and which create
incentives for responsibility avoidance via formal modes of
compliance. There is a vicious circle linking the multiplication
of rules to rule-like actor mentalities. Risk management
systems "hard-wire" defensiveness in organiza-tions but this is
not to be identified simply with risk aversity. Systems may
well affect risk appetite, but it is only necessary to say that they
enable responsibility avoidance, whereby agents allocate more
non-productive time to managing the secondary risk of
adverse outcomes.
If the 1980s was the decade of intensifying external
accountability for organizations, the 1990s and the corporate
governance revolution added pressures for greater internal
accountability, facilitated by an internal control system which
is also a responsibility allocation system. Risk management is
largely an extension of this trend. A form of hyper-internal
control amplifies the time and attention spent on secondary
risk management by organizational actors and professional
agents in a climate of heightened expectation. Typically, as the
process becomes more finely grained, individuals are
increasingly concerned with the risks of being seen not to
comply with the system, as well as with managing first order
risk in a visible way. However, they are increasingly distracted
from first order risk issues and get socialized into a certain way
of thinking about the organization. If one has any doubts on
VOLUME 5 NUMBER 3 2004
this matter, ask the question: what assumptions about human
nature underlie the Sarbanes-Oxley act?
At worst, risk management based internal control
threatens to imprison organizational thinking. The fearful
concern with reputational risk leads to a loss of materiality as
categories of control become more fine-grained. Indeed, as
professional service firms and professions more generally
apply these ideas to themselves, they become potentially
inward-looking and pre-occupied with secondary risk.
The role of professional judgment in society as a whole,
not just that of accountants, is threatened by these effects. An
implicit contract exists between society and expert
occupations. In return for monopoly rights over areas of work,
risky but necessary judgments are made for the greater good.
These are judgments which could be made reasonably at one
time, but might in retrospect turn out to be wrong. Today,
this sense of reasonable judgment is subject to increasing
pressure from a legalized environment, referred to variously as
the "consumer movement," the "human rights culture" and
the "compensation culture." While such external pressures
play a role in assuring the quality of professional services, by
providing a point of challenge and potential sanction, there is
also a growing sense that the defensive investments they
trigger are out of control.
Take the recent money laundering regulations in the
UK. The press anticipates a wave of "defensive" reporting to
the National Criminal Intelligence Service (NCIS) by
accountants and lawyers, managing their own risks in relation
to the legislation. In the university sector, student references
have become more anodyne and less informative over the
years (more like audit reports?). As a consequence, such
references have become devalued and employers recruit
"employment risk management" consultants to do searches.
So a risk industry feeds on the consequences of secondary risk
management.
If we look at the regulations which pervade
organizational life, they are all individually reasonable. But
they all demand systems of internal control to demonstrate
visible compliance, and their collective effect is to force
opinion formation underground or to make it only visible in
coded form accompanied by complex disclaimers.
Individual teachers, accountants, lawyers or doctors
cannot be blamed for this state of affairs. Far from it; it is
completely rational to invest in secondary risk management
strategies to avoid blame for downside outcomes. The
problem is systematic and therefore much more serious. A
"morally thin" environment is being created which, despite
much talk of the "opportunity" inherent in the new risk
management and the Sarbanes-Oxley requirements, is
THE JOURNAL OF RISK FINANCE 63
profoundly damaging to professional cultures. Whatever
critique might be mounted about those cultures, such as their
historical lack of accountability, it remains true that all
individuals in society need, at crucial times and without
hesitation, to trust professional judgment, whether that of a
tax adviser or a doctor. That need is frustrated when those
same professionals, including politicians, appear to be
preoccupied to a great extent with their own risk. The risk
management of everything, and the rise of hyper-internal
control, is a symptom of a profound crisis in our trust in
informed but necessarily imperfect judgment.
CONCLUSIONS AND RECOMMENDATIONS
It has been suggested that a certain kind of secondary or
reputational risk management increasingly pervades
organizational life at all levels of society. A growing activism
and individualism in the environments of organizations,
amplified by political pressures, has resulted in an
intensification of internal control practices. From this broad
point of view, despite the positive talk, the new wave of risk
management can be regarded as a defensive reaction to an
increasingly demanding environment. Professionals will argue
that that the law, an aggressive media and an over-responsive
political system are at the center of this story. Certainly, the
free press and media, core institutions of liberal democracies,
are not without reputational issues of their own in early 2004,
but they remain a powerful conduit for secondary risks to
organizations.
The risk management of everything is not simply to be
discussed at the level of the effects of organizational internal
controls, although this is where the current discussion has laid
most emphasis. It is also to do with problems of political
culture, and the failure to develop a politics of uncertainty in
which failure can be openly spoken of both ex ante as possible
and ex post as not always blameworthy.
Assuming the above analysis strikes some chords in the
world of practice, what might be done about it? As far as
accountancy is concerned, we stand on threshold of some
critical developments. Expectations seem to high, maybe too
high, that the new OFR will provide a disclosure vehicle
capable of satisfying analysts demands for information about
strategy and risk, and social demands for information relevant
to wider corporate responsibility. In addition, the
requirements of Sarbanes-Oxley section 404 will begin to bite
for some companies, although this is likely to become diffused
as a standard for non-SEC registrant entities as well, rather in
the way of ISO 9000. The Turnbull report will be reviewed
64 THE RISK MANAGEMENT OF EVERYTHING
and the FSA proposes a new form of auditor reporting for the
combined code.
In the current environment, it is only too easy to predict
what may happen. Reports by auditors and others will default
to a standardized form with defensive, uninformative
wording. Liability is often regarded as the main culprit for
this, but this is doubtful. A change in liability law for auditors
might have an effect over the long term, but the secondary risk
management practices of many individuals and organizations
are now part of their operating culture. A change in the law
would provide but a small dent in this. Furthermore, excessive
lobbying for law reform may also damage reputation.
The challenge is daunting, because it is not rational for
any individual, organization or professional institute to
initiate changes on its own. But this in effect is what will need
to happen, with political support. The challenge of the risk
management of everything is to roll back the culture of
secondary risk management before it consumes organizational
life. This effort will need to be conducted at two levels: risk
management practice and political discourse.
At the level of risk management practice, the need is for
an "intelligent" risk management which is not control
obsessed and which has a second order capacity to observe and
challenge the effects of the internal control system itself. Some
organizations will say they already have this intelligence. It is a
capacity to challenge the, often very ideal, organizational
models and assumptions inherent in risk management
standards and the systems whose design they inform. It is also
a capacity to avoid being swept away by regulatory programs -
very difficult given the wave of recent initiatives in the
corporate world. In addition, there is a need to nurture
no-blame internal organizational environments.
There is nothing very original about these suggestions,
but they would require all organizations to develop operating
philosophies of experimentation rather than compliance.
From this point of view scenario analysis has the value to
stimulate the imagination of possible alternatives to the
present, rather than as a method of prediction.
At a more systemic or political level a new politics of risk
is required. An older politics of risk sought to challenge expert
judgment, particularly that of scientists, by increasing public
participation in risk management processes. A new politics is
required which restores trust in expertise and which re-enlists
honest professional judgment in the public domain. The
creation of safe havens for judgment does not mean making
professionals non-accountable. Rather, it is to have public
recognition of the essential dependence of society on that
judgment even when failure is possible. A more differentiated
public concept of failure would restore to the very center of its
VOLUME 5 NUMBER 3 2004
legal and conceptual framework the idea of reasonable
judgment which might in retrospect prove to be mistaken.
Outright rogues would need to be dealt with, but
only in the context of wider public acceptance that risk
means ex post failures are possible, as some regulatory
bodies are trying to communicate. In short, a politics of
uncertainty would create a public understanding of the
terms on which professional opinions of all kinds are
offered, an understanding grounded in a political culture
which tolerates uncertainty rather than the depressing
ubiquity of disclaimer paragraphs. In this world, technical
reform of liability law might take place, but it would have
to be part of a larger shift in political consensus, a shift in
which professional institutes, and corporate and political
leaders would need to play a part.
These suggestions may seem very idealistic, and they are
no doubt underdeveloped and incomplete. But the stakes are
high. The possible consequence of the risk management of
everything may be nothing less than the retreat of socially
valuable intelligence from the public domain. In this lecture I
have tried to suggest that the problem is reflected in, but is
much wider than, the position in which auditors presently
find themselves. Indeed, society is in a bizarre predicament.
Never before has there been such a need for considered expert
opinion in so many fields of social and economic life. And yet
are we not designing institutions and risk management
practices whose effect is to frustrate that need?
ACKNOWLEDGMENT
I am grateful to the Trustees of the PD Leake Trust and
to the Institute of Chartered Accountants in England and
VOLUME 5 NUMBER 3 2004
Wales, for their financial support. The views expressed are my
own and do not necessarily reflect those of the ICAEW. This
lecture is also available as a downloadable pdf file from the
ICAEW's Center for Business Performance Web site where it
was originally published. For details of this briefing and other
related publications visit www.icaew.co.uk/cbp. Printed
copies are also available, if you would like a copy please phone
the Centre for Business Performance (020 7920 8634). The
briefing is free of charge. An expanded version of the
arguments in this lecture is to found in Power M. (2004), The
Risk Management of Everything: Rethinking the Politics of
Uncertainty, Demos, London. Available from
www.demos.co.uk
ABOUT THE AUTHOR
Michael Power is PD Leake Professor of Accounting
and a Director of the ESRC Center for the Analysis of Risk
and Regulation (CARR) at the London School of Economics,
where he has worked since 1987. He is a fellow of the Institute
of Chartered Accountants in England and Wales (ICAEW)
and an associate member of the UK Chartered Institute of
Taxation. He has held visiting fellowships at the Institute for
Advanced Study, Berlin and All Souls College, Oxford. His
research interests focus mainly on the changing relationship
between financial accounting, auditing and risk management
He is author of The Audit Explosion (Demos, 1994) and The
Audit Society: Rituals of Verification (Oxford University Press,
1999), which has been translated into Italian and Japanese,
and is currently being translated into French. His most recent
publication is The Risk Management of Everything: Rethinking
the Politics of Uncertainty (Demos, 2004).
THE JOURNAL OF RISK FINANCE 65