Hostname: page-component-7c8c6479df-xxrs7 Total loading time: 0 Render date: 2024-03-29T10:28:38.589Z Has data issue: false hasContentIssue false

Roles of Risk Managers: Understanding How Risk Managers Engage in Regulation

Published online by Cambridge University Press:  24 July 2019

Rights & Permissions [Opens in a new window]

Abstract

Inside companies that produce significant risks, risk managers play a key role. They manage the connection between the risk regulation regime, which stresses public values, and the company, which pursues a broader array of organisational goals. This makes the role of risk managers ambivalent. To better understand this ambivalence and identify the means, motives and strategies that risk managers employ in response to this ambivalence, this article conducts a concise review of (classic) organisation and regulatory literature. Based on this review, we propose a typology that distinguishes four roles of risk managers: risk managers as supporting staff; risk managers as professionals; risk managers as boundary spanners; and risk managers as agents in regulatory communities. Each type subsequently describes how risk managers employ different strategies in their attempt to connect the risk regulation regime and the company, ie translating policies to practices, tailoring policies to practices, explaining and framing policies and practices, and (re)interpreting policies and practices together with regulators. The typology enables researchers and practioners to emphasise and more thoroughly analyse the variety and complexity of risk managers’ work, and can help regulators to broaden and fine-tune their strategies to improve connections with the various roles of risk managers.

Type
Articles
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.
Copyright
© The Author(s) 2019

I. Risk management as a continuous balancing act

The self-regulation of risk management has become an essential element in public regulatory policies in the western world, as part of the “shift from government to governance”.Footnote 1 The responsibility of regulated industries to manage risks themselves is considered a core element in many regulatory frameworks initiated by governments. Many regulatory policies assume or require that organisations manage their risks as part of a wider development in the direction of process-based regulatory arrangements.Footnote 2 Private companies are thus expected to account for risk management, implying a conscious and explicit risk assessment and risk mitigation strategy, thereby increasingly incorporating not just coporate but also broader societal values and interests.Footnote 3 Risk management is defined here as a “process Tof reducing the risks to a level deemed tolerable by society and to assure control, monitoring, and public communication”.Footnote 4

Risk managers – those responsible inside companies for executing the process of risk management via which companies manage risks – thus find themselves in a unique position between government regulation and the daily operations of the organisation. On the one hand, risk managers manage expectations from the environment, including compliance with government regulations. They meet government representatives, usually in the form of public regulators and inspectors. On the other hand, they act within a complex organisation to manage risks. They are members of an organisation, which may simultaneously aspire to different values than those held by government. This makes the risk manager’s position an ambivalent one.Footnote 5 Risk managers have to connect and balance public (governmental) and private (organisational) interests. If the expectations of the environment and the daily conduct within the organisation diverge, the position of risk managers becomes dilemmatic.Footnote 6 As the political and regulatory importance of risk management in private industries increases, the balancing act that is required of risk managers becomes increasingly relevant to anyone interested in public safety.

This ambivalence is a core theme in regulatory literature on risk management. Lenglet describes risk managers as “double agents”.Footnote 7 He specifies this ambivalence by listing the tasks of the risk manager: enacting rules, training employees, monitoring safety performance, advising operators and lobbying. Risk managers actively help to implement regulations and at the same time lobby on behalf of the organisation to regulators or politics for more favourable regulations. Beaumont et al signal that safety officers do not have a particularly easy or simple task and find it problematic to simultaneously combine their roles as independent internal agents from “outside” regulators and advisors to the authority of managers.Footnote 8 Weait notes that compliance officers have a somewhat schizophrenic job to articulate the business case for compliance with “turning law into profit”.Footnote 9

Recent insights in literature suggest that risk managers employ complex behaviour, and engage with people inside as well as outside company boundaries in various ways. For example, Palermo et al argue that risk managers cope with the conflicts inherent in their work in different ways. Individual risk managers use and draw upon “different logics, or part of their underlying practices”, in response to the institutional complexity they encounter in their function.Footnote 10 Lim et al reach similar conclusions in a study which focuses on relations between risk managers and line managers.Footnote 11 According to Jarzabkowski et al, risk managers display changing attitudes and responses to simultaneously contribute to organisational and regulatory goals. Furthermore, risk managers are engaged in a continuous struggle to “compete for managerial attention”, and endeavour to convince line managers to actually “use their methods of defining, measuring and representing the business environment”.Footnote 12 To attain their goals, risk managers need to master different modes of operation, and to be able to engage in a variety of interpersonal connections and develop a set of tools suited to the particular circumstances.Footnote 13 Important as these findings are to understanding the functions of corporate risk managers, and the fact that much variation exists in how risk managers perform their task, they do not result in a systematic insight in how risk managers connect risk-based regulatory regimes with coporate objectives and interests.

We seek to characterise how risk managers connect inside and outside interests via risk management. This contribution is a first attempt to do so, and uses different strands of literature to identify and characterise the various motives, means and strategies of risk managers towards regulators. Organisational literature is used to increase our understanding of the roles risk managers play inside corporations. Knowledge about the roles of organisational specialists, who – like risk managers – connect company and outside interests are described as well as insights about organisational members who work on the “boundaries” between the organisation and the outside world. A second strand risk regulation and risk governance literature focuses on the attitudes of risk managers towards societal efforts to influence the company. To systematically understand how different means, motives and strategies affect the attitude of risk managers towards regulation, both bodies of literature are combined, which results in a typology of risk manager roles.

The catalogue of potentially relevant literature in the fields of organisation studies and risk governance and risk regulation literature is obviously huge. To keep this contribution concise and readable it was decided to pre-structure our literature review in four separate sections, which identifies the following roles of risk managers as connectors between the corporation and safety regulators. These are:

  • the risk manager as support staff: in the 1960s and 1970s theories emerged about organisations as a collection of subunits, each with its own interests. Risk managers are rarely explicitly mentioned in this literature, but we can reflect on what these theories mean for the position of risk managers when they are perceived as organisational support staff;Footnote 14

  • the risk manager as a professional: if one perceives risk managers as organisational professionals, literature emphasises the complexity of the job and the multiplicity of values involved, such as professional and managerial values;Footnote 15

  • the risk manager as a spanner of boundaries: risk managers operate near organisational boundaries, between the corporation and its environment. Organisation studies characterise risk managers as “boundary spanners”. Theories of boundary spanning specifically reflect upon the relation between risk managers as organisational members and regulators as external parties;Footnote 16

  • the risk manager as regulator: theories on risk governance explicitly focus on (the management of) risks. It assumes this focus is a central concern for all stakeholders, including risk managers and regulators. In doing so, this literature identifies differences and similarities between risk managers and regulators. Risk managers are perceived as agents within a regulatory community.Footnote 17

Each subsequent section explores the relevant theories and describes their impact on the means, motives and strategies of risk managers. The resulting typology is described in section VI. Section VII discusses the consequences of our exploration for risk regulation, and the relation between risk managers and their regulatory environment.

II. The risk manager as support staff

A starting point to gain insights on the role of risk managers can be found in organisation theory. This literature focuses on formal and informal positions of employees within an organisation. Risk managers are not traditional line managers, because they are not responsible for primary organisational processes. They have an advisory function and are generally considered as, and assigned to, a staff position in the organisation. That being said, the advice of risk managers can have far-reaching consequences that can considerably affect primary processes. Classic organisation theory primarily focuses on the internal organisation, and argues that within an organisation, interaction takes place between a wide variety of different organisational parts, of which risk management is only one, albeit an important one. From this perspective, four observations enable us to describe “risk management” staff functions, and understand its attitude towards regulators, as well as the processes that govern the relation between organisation and regulator.

1. A unit with its own preferences and objectives

A core assumption of organisational theory is that key participants in organisations do not resemble a unitary hierarchy or organic entity, but a loosely linked coalition of interest groups.Footnote 18 An organisation is portrayed as a dynamic coalition of interest groups. Each group attempts to obtain something from the collective by interacting with others, each having its own preferences, objectives and shifting allegiances.Footnote 19 Mintzberg distinguishes different types of organisational units, with fundamentally different mindsets, strategies and responsibilities towards the primary process.Footnote 20 Top management tends to centralise, technostructure tends to standardise and formalise, and the operational core tends to professionalise. Each organisational unit has its own power source – such as authority, information, access to clients – and uses its position in the coalition to seek opportunities to push and pull the organisation towards its own ideal.

2. Adding rationality via standardisation

According to classic organisational literature, risk managers are “technostructure” – as well as a specific form of support staff. As support staff, risk managers analyse and improve the primary process, as well as engage in risk mitigation. Technostructure imposes order and “control” over organisational processes via detailed methods and models that analyse risk (including risk matrices and bow tie models), and risk management systems. Operators provide information for these analyses. Risk managers use this information to advise managers to subsequently recognise and account for the identified risks, and – if those are found critical – initiate policies to mitigate them.

Pfiffner observes that staff managers prefer an administrative rationality that takes into account facts relative to emotions, politics, power, group dynamics, personality and mental health.Footnote 21 Mintzberg states that support staff analytical techniques, interpreted here as risk management techniques, “institutionalise” the job of the line manager, and remove responsibility for control and decision making from the line manager. In this way, risk management supports alignment and coordination of organisational subunits with more important organisational goals. Formal systems are used to drive this process.Footnote 22 Support staff risk managers advocate and push for increased use of technocratic systems, to the detriment of the line manager’s personal responsibilities, but also to that of operational routines that are not formalised in any system.

3. Limiting the autonomy of operators

Support staff can become notoriously powerful in efforts to impose analytics and standards onto the organisation. The source of power from support staff is derived from a line manager, who is formally responsible for the primary process. The means risk managers as support staff employ is standardisation. As an extra power feature, support staff can move freely within the organisational hierarchy, and may uncover inefficiencies and incompetencies in the relations between various departments.Footnote 23 The focus on standards and procedures reduces the autonomy of operators,Footnote 24 and limits the potential for innovation and change.Footnote 25

4. Risk managers as support staff: implications for means, motives and strategies

The risk manager as support staff focuses on its managerial role in the corporation. The biggest asset of the risk manager is the “licence to standardise”, a mandate from top management to implement and manage procedures and systems that encompass the work of every employee and department. The more this mandate is being taken seriously, the more discretionary freedoms of those affected by these procedures become limited.

As for motives, risk managers as support staff seek to add rationality to decision making in organisations, which includes for example efforts to streamline the decision making process. The consequence is that relations between risk managers and organisational units, as well as between organisational units, are affected. The relations with regulators are less well articulated since classic organisational literature primarily focuses on relations inside the organisation, rather than on the role of regulators. We argue that regulators are considered as part of the organisational environment. As such, they provide additional arguments and motives for more risk standards for risk managers. This may happen, for instance, if risk analysis or risk management systems are imposed, or if a threat of future regulation becomes apparent. If the regulator demands new, complicated methods and systems to manage risks, the broader environment becomes an important source of knowledge that risk managers can monopolise. In that case, risk managers act as “technical gatekeepers”, connecting the organisation to important sources of external information.Footnote 26 In these instances, the regulator becomes a source of information and instruction. The risk manager’s job then is to translate the external sources into guidelines and procedures that can be applied in practice by employees within in the organisation. The regulator thus becomes source of power which risk managers use to impose order onto the organisation. On a less political note, regulations are translated into organisational procedures already in place. This is a relatively passive, technocratic effort.

III. The risk manager as professional

The job of a risk manager can be seen as a practice that requires specific technical and managerial skills, and experience. It requires bringing together knowledge and skills on legal, technical, and business issues, among others. These issues often come from different fora, like regulators, line managers, (other) staff managers, clients, etc. Both their knowledge and their position among these actors make these professionals unique. Two classic bodies of literature from organisation science cover each an aspect of this unique position: the one on professionalism and the one on value conflict.

1. Professionalism: a unique source of knowledge

Professionals work relatively autonomously, and have certain freedoms to determine the content and organisation of their work.Footnote 27 They control their own work because of their special skills and knowledge. As professionals, risk managers can be considered an exclusive occupational group who apply relatively abstract knowledge to particular cases.Footnote 28

Like any profession, risk management comes with its own logic, experience, basic assumptions and set of norms. These can compete with those of other professions or with managers within the organisation. The professional logic is rooted in the complexity of the job. Complexity may lead to a certain exclusivity: only the professional knows how to deal with it, and it would be better to leave the job to the professional without interference from others. Professionals use various instruments to protect this exclusivity, though their knowledge-base, and organisational discourse as well as via the use of jargon.Footnote 29 Risk management concepts and tools can become complicated to people outside the profession of risk managers, including line managers, operators and sometimes even regulators. As professionals, risk managers have the autonomy to follow their own aesthetics to do their jobs unless they are confronted by counterplay from these groups.

2. Value conflict as a main source of complexity

What, then, is this complexity? As stated before, the position of risk managers as linking pin between regulators and organisation is unique. They have to cope with conflicts between public values and organisational values. For example, requirements for public values such as “sustainability” or “safety” which are set by the regulator need to be aligned with important organisational values – including serving clients and efficiency for staying competitive. Societal values, which are expressed at high levels of abstraction, are easily reconcilable, and less in conflict with organisational values. However, this changes once these values are operationalised towards a specific end. “Value conflict is always a problem of practice”, according to Thacher and Rein.Footnote 30 Indeed, conflicts tend to remain intangible until values are concretised in – for example – safety norms. Romzek and Ingraham argue that individuals in organisations operate in “a web of accountability relationships that represent several different behavioral standards against which their performance can be judged”.Footnote 31 They distinguish four sources of control: external sources, which are political and legal, and internal sources, which are hierarchical and professional. As a result of these sources of control, professionals “can get caught between the cross pressures of initiative and command”.Footnote 32 Value conflicts can become painful in the workplace, and as such heavily affect and influence the role of the risk manager.

3. Coping with competing values

How do professionals cope with value conflicts? Lipsky’s study of public “street-level bureaucrats” was the first to identify and describe professional coping responses to value conflicts.Footnote 33 Professionals employ numerous strategies such as for example “rationing,” and “routinisation,” as well as discretionary judgment to reconcile seemingly conflicting requirements to perform their jobs. Every professional, and in this case risk managers, employs strategies to reconcile values and deal with tensions between professional judgment and management policies and rules to manage their practical work.

4. Risk managers as professionals: implications for means, motives and strategies

As risk management became a profession of its own, risk management became too complex to understand immediately by all those working inside the company; the jargon became impenetrable, increasingly new and more complex risk management tools, and elaborate procedures are required to provide proof of being “in control”. Literature on professionalism stresses how this process leads to exclusivity of those who know and can analyse complex systems. This exclusivity protects the means and knowledge of professionals. Literature on value conflicts describes some of the complexities inherent in the position of of risk managers as professionals. It does not explicitly consider the relation between professionals and regulators. Coping with value conflicts is thus predominantly studied in the domain of the professional. Although the values with which professionals wrestle may very well be those of regulators, these regulators are seldom considered as relevant actors in this literature. However, regulators have the potential to add to the complexity of the situation professionals are coping with. Nonetheless, the professional’s perspective assumes risk managers are reactive rather than proactive. Competing values are simply considered a fact of life; they are “thrust” upon professionals; they are considered given. It is the risk professional’s job to use their discretionary freedoms to connect policies to practices, and practices to policies, so that value conflicts are managed. This job is a complex one, and this complexity provides risk managers with the autonomy to define and operate complex risk management systems.

IV. The risk manager as boundary spanner

“Coping” has a relatively passive connotation. As already noted, support staff may act as “technical gatekeepers”, being the natural inlet for technical instructions with which organisations have to comply. It is as if risk managers are making the best of a situation that is defined outside their professional domain. However, risk managers may also influence their environments in a more proactive way. Risk managers can act as so-called “boundary spanners”, situated at the boundaries between the organisation and its environment. This strategic position has attracted the attention of both organisational theorists and regulatory scholars. Literature on “boundary spanning” focuses on the organisational borders. Who is managing the boundaries? And how does this happen?

1. Managing the coupling between policies and practices

Organisations are highly motivated to secure enough stability and certainty to be able to function efficiently and effectively in environments that contain unknowns and uncertainties.Footnote 34 Regulators are part of this environment, and can also be considered as a source of uncertainties, or even friction, for organisations.

To align the demands of both the organisational world and the outside world, in terms of risk taking, organisations specifically employ strategies that seek to influence the environmental sources of safety demands, such as bargaining and co-optation – for instance the incorporation of representatives of external groups in decision-making.Footnote 35 Additionally, buffering strategies are used, which shield the operational core from the environment, so that the operating activities can be protected. “Boundary spanning units” play a central role in this perspective, since they directly face the environment and deal with its uncertainties.Footnote 36

Risk managers operate at the interface between regulators and the organisation. Risk managers as boundary spanners have the means (eg knowledge and contacts) to align the organisation with the regulators and manage the couplings between policy and practice within the organisation. Formal policy may require the implementation of risk management systems and risk analysis tools. The managing of couplings may also involve the translation and/or framing of organisational practices to outsiders such as regulators.

2. The effect of regulation on the coupling between policies from practices

Regulation theory also pays attention to the issue of “managing couplings”. It introduces the regulator’s behaviour as an important determinant of means, motives and strategies of risk managers. Orton and Weick predict that the more organisations are forced to implement certain policies, the more questionable it becomes whether these policies are in fact put into practice. Allowing more difference between formal organisational policies and practices is called “loosening coupling”Footnote 37 or “decoupling”.Footnote 38 Meyer and Rowan argue that an increased need to be accountable and transparent in many organisations results in organisational “decoupling” between what organisations formally account for and what they are actually doing.Footnote 39

Governments are said to significantly use their formal authority to promote the use of risk management.Footnote 40 They commonly require organisations to implement risk management systems, and risk management tools, with the aim of facilitating the self-regulatory capacity of organisations and facilitating communication about risks.Footnote 41 This drives organisations to implement risk management systems and suggests that rationality prevails in how organisations decide about (the management of) risks. This trend suggests that loose coupling may be inevitable – even functional – for an organisation from a risk managerial perspective, especially when expectations from the external environment increase. It protects the organisation’s operational core from the dynamics and “idealisation” of “external” policy demands and political requests.Footnote 42

3. An assumed loyalty to the organisation

The assumed necessity to shield operators from the environment implies hostility towards the environment. Boundary spanning literature assumes boundary spanners primarily seek to accomplish organisational, managerial goals. The role of the boundary spanner thus differs fundamentally from the role of the risk professional who is primarily oriented towards professional values. Boundary spanners are considered loyal to the organisation and its survival in a competitive environment. Loose coupling is a negative threat to the environment, including the regulator’s perspective. It poses a threat to the environment, especially to those who want to oversee practices of risk management, such as regulators and inspectors.

4. Risk managers as boundary spanners: implications for means, motives and strategies

The means of a risk manager as “boundary spanner” are essentially his/her strategic position at the interface between regulators and the internal organisation. This position enables the risk manager to obtain a relatively autonomous position by virtue of the strategic ties he/she builds within the organisation and with its environment.

Unlike risk managers as support staff and professionals, boundary spanners see an active role for themselves to influence regulation and its effects on the organisation. Indeed, influencing regulation and its effects for the organisation is considered an important part of their jobs. Boundary spanners play a political game between regulators and the organisation, using their skills and means to mitigate the effects of regulation if these are found to conflict with those of the organisation. For the risk manager as boundary spanner, information on policies and practices provides the means to manage the organisation and the environment. Reporting policies and practices consists not just of technical reporting, but is also considered from a marketing perspective. Risk managers are in a position to frame organisational policies and practices strategically to the environment. At the same time risk managers may frame regulations as urgent to reinforce their position within the organisation.

V. The risk manager as part of a regulatory community

Considering risk managers as part of a regulatory community takes the idea of risk managers as boundary spanners one step further. Literature on regulatory communities stresses collaboration over conflicts and differences. It focuses on the effectiveness of regulation rather than the effectiveness of organisations. To achieve effectiveness, interaction and learning between regulators and those in the corporation who are responsible for compliance – and these include risk managers – is considered vital. Risk regulation literature considers regulation as a learning process, is more prescriptive and has a far more positive outlook towards organisations.Footnote 43

1. A horizontal relationship between regulator and risk manager

The idea that risk managers and regulators are part of a regulatory community contrasts sharply with the perspectives of risk managers focusing on decoupling and boundary spanning. The relationship between regulator and risk manager in risk governance is considered to be harmonious, networked and horizontal rather than hierarchical and potentially conflicted.Footnote 44 Although regulators and risk managers hold different positions and affiliations, both share similar values and a basic understanding of the meanings and goals of regulatory action.Footnote 45

Risk governance literature stresses the importance of communication and trust within and across organisations, and argues that risk-related processes are delicately interconnected and potentially conflicting processes.Footnote 46 Quality of knowledge is identified as an essential feature of risk governance, which consists of principles such as “good knowledge”, communications and trust.Footnote 47

2. Risk governance as an inter-organisational feature

An important principle in risk governance is “inclusion”, ie the involvement of interested and affected stakeholders in collective decision making about risk. Inclusion promotes coping with uncertainty, complexity, and ambiguity.Footnote 48 It also promotes democracy, social robustness, and social learning.Footnote 49

The literature on risk governance is inter-organisational in nature yet it rarely specifies risk governance processes across the public-private divide, ie between risk managers and regulators. Parker states that “Regulators must rely on a regulatory community in which regulators, compliance professionals, and other affected parties together work out standards for compliance, with regulators maintaining the crucial task of meta-evaluation”.Footnote 50 In other words, risk managers are assumed to convince other organisation members to incorporate and align the external value with the organisational values. Moreover, it is assumed that “regulatory messages are communicated into a world of shared bonds and shared understandings in which companies can effectively respond to regulatory signals, and the parties deliberate effectively about their response to them, which, in turn, creates shared commitments to regulatory goals”.Footnote 51

3. Regulators and risk managers joining up for interpreting regulation

Although the relation between risk managers and regulators is considered a dual one, risk governance literature assumes a common ground will result from interaction. At the same time risk managers are assumed to be “streetwise”Footnote 52 and, as such, willing to compromise with corporate, often commercial, values. In other words: deliberations between risk managers and regulators will be more about the “how” than the “what”. Risk managers and regulators are partners when discussing regulatory goals, whereas the “how” will be the subject of deliberations and interpretations by both risk managers and regulators. Both policies and practices of the risk managers’ industry are conditioned by regulations, as they are input for regulatory change at the same time. Policies, practices and regulation will be subject to joint interpretations and reinterpretations. Gilad emphasises the same element of this interpretation process by introducing the concept of “regulatory meaning co-construction”.Footnote 53 Regulators both anticipate and react to the way compliance professionals frame regulations.

The idea of joint interpretation and reinterpretation of regulation sounds idealistic, but is meant to complexify the motives of risk managers (and regulators) away from simplistic caricatures as self-interested actors. However, literature on regulatory communities primarily describes the relationship between these groups from the perspective of the regulator.

4. Risk managers as part of a regulatory community: implications for means, motives and strategies

Like the boundary spanner, the risk manager as part of a regulatory community has a unique strategic position between the organisation and the regulatory environment. Moreover, literature on risk governance also stresses the unique knowledge of risk managers. It is this knowledge that facilitates cooperation between risk managers and regulators. Both groups use the same language and understand the complexities of their jobs. Compared to boundary spanning literature, risk governance literature focuses more on the substance of the interaction with the regulator, the so-called “regulatory conversations”.

Like boundary spanners, risk managers as regulators actively influence regulation and its effects on the organisation. They actively engage in interactions with regulators to shape regulations and their consequences. As part of an assumed regulatory community, the risk manager collaborates with regulators – as fellow-professionals – and they jointly (re)interpret policies and practices.

VI. A typology of risk managers

Table 1 summarises the four profiles which result from the literature study, and which support the identified roles of risk managers.

Table 1. A typology of risk managers

Two dimensions enable us to distinguish the four roles of risk managers and their attitudes towards regulation more crisply.

Attitudes towards regulations: from passive to (pro-)active. The roles of the risk manager as professional and as support staff that we have identified both take the existence of regulations for granted. These regulations are defined by institutions outside the corporation, that lie beyond the risk manager’s influence. In these roles, regulations are considered a given. Literature on support staff does not even consider the role of a regulator, outside the organisation. Instead, it focuses on the role of the risk manager inside the organisation, or, more specifically, how risk managers behave towards parts of the organisation. Regulators, then, are considered outside sources of pressure which create constraints that have to be translated into technical standards. The role of risk managers as professionals considers regulations as inventions from outside the sphere of influence of the risk manager. However, in this role, outside requirements are aligned with and related to other requirements, coming from inside and outside the organisation. The main challenge of the risk manager is to solve the puzzle how to simultaneously cope with these different requirements.

When risk managers are boundary spanners or regulatory community agents, they adopt a more (pro-)active approach. In these roles, risk managers actively seek, as part of their jobs, to influence regulation and its effects on the organisation. This is a broader and more integral approach which more actively connects the outside world to the inside work of the the risk manager. The role of the boundary spanner explicitly assumes that risk managers play an important role in the political game between regulators and the organisation, using their means to mitigate the effects of regulation. Risk managers as part of a regulatory community are even more (pro-)actively involved in interactions with regulators to (re)define regulation and its consequences.

Attitudes towards regulators: from resistant to cooperative. Where risk managers assume roles as professional and boundary spanner, they display a relatively resistant attitude towards regulators. In these roles, regulators are considered sources of “problems”. As professionals, risk managers view regulation as a coping problem, which requires them to implement regulations that do not necessarily align with organisational values, and might even be in conflict with them. The role of boundary spanners considers that regulators pose a continuous potential threat towards organisational goals and interests. Consequently, relations with these institutions are more actively “managed” to influence this source of power outside of the organisation.

In contrast, risk manager roles as support staff and regulatory community agents display a much more cooperative attitude towards regulators. In these roles, regulators and risk managers share a common professional or even moral interest or philosophy. This like-mindedness facilitates – either explicitly or implicitly – mutual understanding and cooperation. In the role of support staff, regulators provide a source of power to risk managers. Implementing regulations in an organisation requires elaborate (technical) knowledge. This knowledge is provided by the risk manager and the implementation process is facilitated by risk manager’s systems. The more detailed these systems become, the more they restrict the freedoms of operators and line managers. The role of risk managers as regulatory community agents emphasises cooperation with regulators even more explictly. This cooperation is considered natural, and facilitated by an assumed common ground with the meanings and goals of regulatory action.

Table 2 frames the four roles of risk managers on these two dimensions.

Table 2. Positioning the four types of roles of risk managers

VII. Conclusion and discussion: variety and its consequence for regulation

1. A variety of risk managers

Risk managers can be ambivalent towards regulation. In this contribution we assumed that “the” risk manager does not exist, and that risk managers can perceive their role differenty. This affects how they deal with this ambivalence, and their attitude towards regulation. By bringing together insights from organisational and regulation literature we have identified four roles and their consequences on risk managers’ attitude towards regulation, as well as to their efforts to connect their organisation to regulators.

We have distinguished four roles of risk managers. These are: risk managers as: (1) support staff; (2) professionals; (3) boundary spanners; and (4) agents in a regulatory community. Table 1 summarises the results of this analysis. The significance of these four roles for risk managers’ attitudes towards regulation and regulators is shown in Table 2. The tables allows scholars to appreciate the complexities of the risk managers’ function. They also provide them with an overview of the different perspectives about this role, as well as the implications for the means, motives and strategies that risk managers employ.

These insights are also of potential value to regulatory regimes that deal with risk managers. First, the typology combines organisation studies and risk regulation literature. Bridging those two fields provides more detailed insights about why risk managers can be perceived as ambivalent. This ambivalence might be given, but the way risk managers deal with ambivalence of course differs according to the individual. These differences are significant for the effectiveness of regulation.

Second, this contribution provides additional insight into the relation between risk regulation and the strategies of risk managers. Based on the typology, we propose that strategies of risk managers are dependent on how risk managers define their role. This in turn influences how they connect regulatory policies to practices in corporations. Earlier studies emphasised the coerciveness of regulatory regimes as a main factor to explain this coupling.Footnote 54 However, part of the risk manager’s job is to manage this process of coupling. Based on our analysis we theoretically identified four different strategies that risk managers can resort to in managing the coupling. These strategies follow from different perceptions about the role of the risk manager, ie translating policies to practices, tailoring policies to practices, explaining and framing policies and practices, and joint (re)interpretation of policies and practices (see Table 1). Obviously, these strategies differ to such an extent that a one-size-fits-all regulatory approach stands little chance of becoming successful.

2. Is variety of risk managers problematic for risk regimes?

The variation in strategies that risk managers can employ to manage the coupling, ie to connect organisational practices with regulatory policies, and the corresponding ambivalence in what risk managers ought to do, could consitute a problem for risk regimes. The conclusion of this theoretical review of the role of risk managers is to neither justify nor criticise the current ambivalence in what risk managers in coporations do, and how they respond to regulation. Nor does it seek to impose the four roles of risk managers that were identified as definitive and complete descriptions. Instead, the roles identified in our analysis leads us to conclude that regulators should expect ambivalence in the behaviour of risk managers and the organisations they represent, and find ways to deal with it.

A second conclusion is that the position of risk managers in the broader regulatory regime requires risk managers and regulators to use reflective skills on how to combine the different strategies and/or to shift from one strategy to another. So, given our conceptualisation of the roles of risk managers, we can expect a problem when:

  • a risk manager lacks the flexibility and/or the capacity to reflect on the relation between the roles of the risk manager and his (organisation’s) goals. When to use which strategy? For example because the formal mandate and corresponding interpretation of the risk manager’s tasks do not align with the strategies and means that were identified in our typology;

  • risk managers’ discussions, either with operational staff or with a regulator, are not “rich” and substantive enough to assess what is the preferred strategy for connecting regulatory policy to practice within the corporation; similarly, when conversations fail to reveal how the risk manager seeks to realise this;

  • a regulator’s expectation of the behaviour of risk managers is confined to part of the typology, ie the regulator assumes that risk managers only engage in a subset of the four identified strategies to connect regulatory policies to organisational practices.

Finally, the contribution may inspire more scholarly empirical studies of risk managers in the future. For example: what internal or external institutional factors determine what roles risk managers “play”? What explains switching behaviour between the roles of risk managers? Tantalising answers are inferred in this study (see Table 1), but more in-depth studies could reveal more powerful insights. Empirical studies that focus on the role of the risk manager rather than on regulatory policies seem especially promising. Rather than focusing on regulatory policies as an operationalisation of risk management behaviour, future studies could focus on the actual behaviour of risk managers which captures the confrontation between regulatory policies and the corporate environment. Another study could investigate how strategies of risk managers – such as “framing policies to practices” – relate to compliance and/or more broadly-defined public values.

If we have more insight into these issues, the typology of roles may be strengthened and could serve as a valuable indicator for regulators to not only identify the “type” of risk manager a regulator is dealing with, but also to understand how the regulatory regime is perceived by the risk manager and its corporation.

Footnotes

*

Haiko van der Voort, Mark de Bruijne and Bauke Steenhuisen are Assistant Professors Organisation & Governance at Delft University of Technology, Faculty Technology, Policy and Management. Corresponding author email: h.g.vandervoort@tudelft.nl.

References

1 Bevir, Eg M, Governance: A very short introduction (Oxford, Oxford University Press 2012).Google Scholar

2 Coglianese, Eg C and Lazer, D, “Management-Based Regulation: Prescribing Private Management to Achieve Public Goals” (2003) 37 Law and Society Review 691; Gunningham, N, “Strategizing Compliance and Enforcement” in Parker, C and Nielsen, VL (eds), Explaining Compliance; Business Responses to Regulation (Cheltenham, Edward Elgar 2011) pp 211216.Google Scholar

3 Power, Eg M, “Risk Management and the Responsible Organization” in RV Ericson and Doyle, A (eds), Risk and Morality (Totonto, University of Toronto Press 2003) pp 145164.Google Scholar

4 Morgan, MG, “Choosing and Managing Technology-Induced Risks” in Glickman, TS and Gough, M (eds), Readings in Risk (Washington, Resources for the Future 1990) pp 515; Renn, O, “Three decades of risk research: accomplishments and new challenges” (1998) 1 Journal of Risk Research 51, doi: 10.1080/136698798377321. We use a broad definition of “risk management” here. As organisations are diverse, risk managers may be called by different names in different organisations. Depending on the type of risks or the application field, they may be called Chief Risk Officers, Safety Managers, Health & Environment Managers, etc. “Risk managers” in this contribution are held responsible for managing a specific issue (ie environment, safety, financial risk) which affects (a) public value(s) and potentially harms both the organisation and society.Google Scholar

5 Lenglet, M, “Ambivalence and Ambiguity: The Interpretive Role of Compliance Officers” in Huault, I and Richard Finance, C (eds), The Discreet Regulator; How Financial Activities Shape and Reform the World (New York, Palgrave MacMillan 2012) p 59; Power, M, “Organizational Responses to Risk: The Rise of the Chief Risk Officer” in Hutter, B and Power, M (eds), Organizational Encounters with Risk (Cambridge, Cambridge University Press 2005).Google Scholar

6 Parker, Eg C, The Open Corporation; Effective Self-regulation and Democracy (Cambridge, Cambridge University Press 2002) p 179.CrossRefGoogle Scholar

7 Lenglet, supra, note 5.

8 Beaumont, PB et al, “The Safety Officer: An Emerging Management Role?” (1982) 11 Personnel Review 35.Google Scholar

9 Weait, MJ, The Role of the Compliance Officer in Firms Carrying on Investment Business in the City of London (Oxford, Oxford University Press 1995) p 138.Google Scholar

10 Palermo, T et al, “Navigating Institutional Complexity: The Production of Risk Culture in the Financial Sector” (2017) 54 Journal of Management Studies 154, <doi.org/10.1111/joms.12241>, p 157.,+p+157.>Google Scholar

11 Lim, CY et al, “The paradoxes of risk management in the banking sector” (2017) 49(1) The British Accounting Review 75, <doi.org/10.1016/j.bar.2016.09.002>..>Google Scholar

12 Jarzabkowski, P et al “Responding to competing strategic demands: How organizing, belonging and performing paradoxes coevolve” (2013) 11(3) Strategic Organization 245.Google Scholar

13 Hall, M et al, “How do risk managers become influential? A field study of toolmaking in two financial institutions” (2015) 26 Management Accounting Research 3, <doi.org/10.1016/j.mar.2014.12.001>..>Google Scholar

14 Cyert, Eg RM and March, JG, A Behavioral Theory of the Firm (Englewood Cliffs, Prentice-Hall 1963); Pfeffer, J and Salancik, GR, The External Control of Organizations: A Resource Dependence Perspective (Stanford, Stanford University Press 1978); Mintzberg, H, The Structuring of Organizations (Englewood Cliffs, Prentice-Hall 1979).Google Scholar

15 Abbott, Eg A, The System of Professions (Chicago, Il, University of Chicago Press 1988); Lipsky, M, Street-Level Bureaucracy; Dilemmas of the Individual in Public Services (Sage, New York 1980).Google Scholar

16 Meyer, Eg JW and Rowan, B, “Institutionalized Organisation: Formal Structure as Myth and Ceremony” (1977) 83 American Journal of Sociology 340; Scott, WR, Organizations; Rational, Natural, and Open Systems (Englewood Cliffs, Prentice-Hall 1992).Google Scholar

17 Black, Eg J, “New Institutionalism and Naturalism in Socio-Legal Analysis: Institutionalist Approaches to Regulatory Decision Making” (1997) 19 Law & Policy 51; Parker, C, “Compliance Professionalism and Regulatory Community: The Australian Trade Practices Regime” (1999) 26 Journal of Law and Society 215; Renn, O, Risk Governance: Coping with Uncertainty in a Complex World (London, Earth-scan 2008).Google Scholar

18 Cyert and March, supra, note 14.

19 Pfeffer and Salancik, supra, note 14, p 36.

20 Mintzberg, supra, note 14.

21 Pfiffner, JM, “Administrative rationality” (1960) 20 Public Administration Review 125.Google Scholar

22 Mintzberg, H, Power In and Around Organizations (Englewood Cliffs, Prentice-Hall 1983).Google Scholar

23 Mumford, E and Pettigrew, A, Implementing Strategic Decisions (New York, Longman 1975).Google Scholar

24 Crozier, M, The Bureaucratic Phenomenon (Chicago, University of Chicago Press 1964) p 165; Kanter, R, “The Measurement of Organizational Effectiveness; Productivity, Performance and Success” Working Paper 8, PONPO (New Haven, Yale University Press 1979).Google Scholar

25 Galbraith, JR, “Designing the Innovative Organization” (1982) 10 Organizational Dynamics 5.Google Scholar

26 Mintzberg, supra, note 22, p 200.

27 Larson, MS, The Rise of Professionalism (Berkeley, University of California Press 1977).Google Scholar

28 Abbott, supra, note 15, p 318.

29 Abbott, supra, note 15, p 318; Freidson, E, Professionalism; The Third Logic (Chicago, University of Chicago Press 2001).Google Scholar

30 Thacher, D and Rein, M, “Managing Value Conflict in Public Policy” (2004) 17 Governance 461.Google Scholar

31 Romzek, BS and Ingraham, PW, “Cross-Pressures of Accountability: Initiative, Command and Failure in the Ron Brown Plane Crash” (2000) 60 Public Administration Review 242.Google Scholar

32 ibid, p 249.

33 Lipsky, supra, note 15.

34 Scott, supra, note 16, p 195.

35 Scott, supra, note 16; Pfeffer and Salancik, supra, note 14.

36 Thompson, J, Organizations in Action (New York, McGraw-Hill 1967); Meyer and Rowan, supra, note 16.Google Scholar

37 Orton, JD and Weick, KE, “Loosely Coupled Systems: A Reconceptualization” (1990) 15 Academy of Management Review 203.CrossRefGoogle Scholar

38 March, JG and Olsen, JP, Ambiguity and Choice in Organisations (Bergen, Universitetsforlaget 1976); Brunsson, N, “Ideas and Actions: Justification and Hypocrisy as Alternatives to Control” (1993) 18 Accounting, Organisations and Society 489; Scott, WR, Institutions and Organisations: Ideas and Interests (Thousand Oaks, Ca, Sage 2008); Bromley, P et al, “Decoupling Revisited: Common Pressures, Divergent Strategies in the U.S. Nonprofit Sector” (2012) 15 M@n@gement 468.Google Scholar

39 Meyer and Rowan, supra, note 16; Orton and Weick, supra, note 37; Power, M, The Audit Society; Rituals of Verification (Oxford, Oxford University Press 1997).Google Scholar

40 Hood, Eg C et al, The Government of Risk; Understanding Risk Regulation Regimes (Oxford, Oxford University Press 2011); Haines, F, The Paradox of Regulation: What Regulation Can Achieve and What it Cannot (Cheltenham, Edward Elgar 2011).Google Scholar

41 Lodge, M and Wegrich, K, Managing Regulation; Regulatory Analysis, Politics and Policy (New York, Palgrave MacMillan 2012) pp 8589.Google Scholar

42 Weick, KE, “Educational Organisations as Loosely Coupled Systems” (1976) 21 Administrative Science Quarterly 1; Roberts, J, The Modern Firm: Organisational Design for Performance and Growth (Oxford, Oxford University Press 2004); Moerth, U, “Soft Regulation and Global Democracy” in Djelic, ML and Sahlin-Andersson, K (eds), Transnational Governance: Institutional Dynamics of Regulation (Cambridge, Cambridge University Press 2006).Google Scholar

43 Wiener, J, “Risk Regulation and Future Learning” (2017) 8 EJRR 49.Google Scholar

44 Renn, supra, note 17; van Asselt, M, and Renn, O, “Risk Governance” (2011) 14 Journal of Risk Research 431; Klinke, A and Renn, O, “Adaptive and Integrative Governance on Risk and Uncertainty” (2012) 15 Risk Research 273.Google Scholar

45 Black, supra, note 17, pp 30–38.

46 Luhmann, N, Trust and Power (New York, Wiley and Sons 1980); Whitfield, S et al, “Nuclear Power: Value Orientation and Risk Perception” (2009) 29 Risk Analysis 425; Rosa, EA et al, The Risk Society Revisited; Social Theory and Governance (Philadelphia, Temple University Press 2014) p 167.Google Scholar

47 Stern, P and Fineberg, H, Understanding Risk: Informing Decisions in a Democratic Society (Washington DC, National Academy Press 1996); Horlick-Jones, T and Sime, J, “Living on the Border: Knowledge, Risk and Transdisciplinarity” (2004) 36 Futures 441.Google Scholar

48 Rosa et al, supra, note 46, p 167.

49 Roca, E et al, “Assessing the Multidimensionality of Coastal Erosion Risks: Public Participation and Multicriteria Analysis in a Mediterranean Coastal System” (2008) 28 Risk Analysis 399.Google Scholar

50 Parker, C, “Compliance Professionalism and Regulatory Community: The Australian Trade Practices Regime” (1999) 26 Journal of Law and Society 215.Google Scholar

51 Parker, C, “Reinventing Regulation within the Corporation; Compliance-Oriented Regulatory Innovation” (2000) 32 Administration & Society 529.Google Scholar

52 Parker, supra, note 6, p 180.

53 Gilad, S, “Beyond Endogeneity: How Firms and Regulators Co-Construct the Meaning of Regulation” (2014) 36 Law & Policy 134.Google Scholar

54 Eg Meyer and Rowan, supra, note 16; Orton and Weick, supra, note 37; Power, supra, note 39.

Figure 0

Table 1. A typology of risk managers

Figure 1

Table 2. Positioning the four types of roles of risk managers