Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
Riskmanagementinlocalauthorities:rules,understandings,teleo-affectivestructuresandmaterialarrangements
BinhBui
VictoriaUniversityofWellington
CarolynCordery
VictoriaUniversityofWellington
ZichaoWang
AustralianNationalUniversity
Abstract
Purpose: Territorial local authorities (LAs) operate in a complex and dynamic environment
which gives rise to multiple and conflicting stakeholder demands. Risk management (RM)
provides a potentially effective mechanism to handle these conflicts. The purpose of the study
is to examine and explain RM practices within two New Zealand LAs.
Design/methodology/approach: We use Schatzki’s social site ontology to analyse RM
practices organized by rules, understandings, teleo-affective structures and material
arrangements. Seventeen in-depth interviews were conducted with managers across different
levels within two New Zealand local authorities.
Findings: Our findings reveal that while both LAs utilise similar RM rules and processes, there
is significant heterogeneity between the two, due to the ambiguity of the teleology and the
differences in understandings. In contrast, the homogeneity within each organization arises
from the shared mentality (state of affairs) that drives RM behaviour.
Originality/value: We also offer insights regarding the dynamics and interactions between the
four components of RM practices, and definitional issues regarding practical and general
understandings.
Key words: risk management, Schatzki’s social site ontology, practice theory
Type of research: Case study
2
INTRODUCTION
Public sector risk has become increasingly interesting to academics and practitioners (Vincent,
1996). Corporate governance reforms have required risk management (RM) as part of
management controls (Abernethy & Chua, 1996) imposed to reflect the corporate risk appetite
(Collier & Woods, 2011) and achieve corporate objectives (Clarke & Varma, 1999).
Notwithstanding commercial connotations, the International Federation of Accountants argues
that corporate governance is also necessary in public sector organizations, if they are to meet
stakeholders’ demands and pursue a complex mix of political, economic, and social objectives
(Collier & Woods, 2011). For local authorities (LAs), required to deliver a wide range of public
services in an often politically-charged environment, utilisation of RM to manage stakeholders’
demands should lead to effective governance and organizational performance (McCrae &
Balthazor, 2000).
This comparative RM research into two LAs fills a gap in the literature. Woods' (2009a)
contingency theory based in-depth analysis of RM in a single LA cannot be generalised.
Collier, Berry, and Burke's (2007) more generalizable survey used institutional theory, but was
private-sector based. Both of those studies were UK-based, making the research presented in
this paper innovative in two respects. Firstly, we compare RM in two New Zealand LAs and
secondly, we analyse the findings using Schatzki’s social site ontology (as further described).
Public sector organizations operate in a dynamic and complex environment, comprising
multiple stakeholders who may impose undue demands on them and judge performance using
different criteria (Bryson, 1988). In this challenging environment, RM increases organizational
preparedness and responsiveness to environmental change, reducing organizational failures
following adverse events. The business case for risk management systems (ERM) argues that
ERM can improve organizational performance through enhanced awareness of risk-return
relationships, effective risk treatment strategies, and stronger internal controls, risk monitoring
and communication systems. Equally importantly, ERM is a vehicle through which
organizations demonstrate resilience to external stakeholders through documentary evidence
and audit trails. Public sector RM often originates from organizations exercising legitimacy
and accountability, therefore prioritising reputational risk over first-order health, physical, and
financial risks (Power, 2007, 2009). Consequently, ERM may focus on compliance and
systems rather than key strategic and performance issues, leaving the literature divided
regarding whether RM effectively improves organizational performance. We argue that this is
due to inadequate knowledge of the internal intricacies of ERM which remains a ‘black box”,
3
with little understanding of operational dynamics and processes through which staff employ
RM to achieve organizational objectives.
Motivated by this gap, we utilise practice theory to better understand and explain public sector
RM practices and the role of accounting. In particular, we adopt Schatzki’s (2002) social site
ontology that explains practices as bundles of human activity comprising four elements. We
study two LAs in New Zealand (NZ) following a major earthquake of 6.3 Richter scale in 2011
with 185 deaths. Earthquakes have significant implications for RM and we choose the LA
directly affected by the earthquake (Christchurch City Council, aka CCC) and another sited on
a seismic fault (Wellington City Council, aka WCC) which also experienced a series of strong
earthquakes (in 2013) bearing some infrastructure damage but no loss of life.1 These two LAs
are ideal for insights into LAs’ responses to risk events and any resulting RM changes. Further,
LAs’ complex operations allow exploration of multi-dimensional risk measures, and different
departments’ RM perceptions and ERM operationalisation.
This study asks: How is risk management organized and practiced within LAs? The question
is addressed by directly coding and analysing case study data using the four elements of
Schatzki’s (2002) social site analysis (teleo-affective structures, rules, understandings, and
material arrangements). Thus, the next section reviews extant literature on RM practices within
public sector organizations in other countries. This is followed by a brief overview of
Schatzki’s social site analysis. The research methods are then outlined, including participant
selection and how data are coded and analysed. Then, the findings are presented followed by
insights regarding the nature and dynamics of Schatzki’s four elements in explaining RM
practices in the two LAs. Finally, contributions, limitations and future research conclude the
paper.
LITERATURE REVIEW
Risk awareness is stimulated by escalating business scandals (e.g. the Enron collapse), natural
disasters (e.g. global warming), terrorist attacks (e.g. September 11) and problems in emerging
virtual markets (e.g. financial crises). As such, RM permeates people’s daily lives and
organizations’ everyday operations (Power 2004). It is unsurprising that ERM and other similar
RM frameworks seek to provide a holistic and integrated approach to manage organizations’
risks. ERM’s power is realized through a set of pre-determined rules focused on ‘optimally
1 ThesewereRichterscale5.7,5.8and6.5between19thand21stJulyand6.6onAugust16th.Dataretrievedfromhttp://info.geonet.org.nz/display/quake/2014/01/06/Principal+earthquakes+of+New+Zealand+in+2013
4
balancing between growth and return goals and related risk’ (COSO ERM, 2004, p.3). ERM
specifies actions for managing organizational risks including: risk identification, risk
assessment, risk reduction, monitoring and control, in conjunction with determining
organizations’ risk appetites (Themsen 2014).
Practice-based literature focuses on risk assessment and how accounting quantifies risk
probability and the severity of any consequences; through calculating the degree of risk
tolerance/appetite, and performing cost and benefit analysis (COSO ERM, 2004). It is claimed
that the accounting’s calculative power enables ERM to ‘ensure management achieve the
entity’s performance and profitability targets and prevent loss of resources … helps ensure
effective reporting and compliance with laws and regulations, and helps avoid damage to the
entity’s reputation and associated consequences’ (COSO ERM, 2004, p.3).
Contemporaneously, other research develops alternative management control frameworks in
parallel with ERM (Dekker 2004; Anderson and Dekker 2005; Anderson et al. 2015). These
researchers include mechanisms beyond accounting for managing risks. For example, Dekker’s
(2004) case study preferred formal controls to manage risks from partner firms’ opportunistic
behaviour. Nevertheless, formal RM controls were moderated by informal control (based on
trust) in these supply alliances. Overall, these ERM and other RM frameworks incorporate a
functionalist view on RM, creating the impression that RM is a ‘box-ticking’ activity (Collier
et al. 2007) equated with complying with pre-determined rules.
While RM frameworks equip organizations with so-called ‘best RM practices’, other research
adopts a practice approach, examining how organizations use/operationalize ‘best practice’
frameworks. Significant variations are evident in formalization and complexity of RM systems
in Woods’ (2009b) UK organizations. Further, considering RM guidance and frameworks,
while all five of Crawford and Stein's (2004) UK LAs employed a designated risk manager,
only one had commenced an organization-wide risk review; two LAs reported through a
structure but neither sought an independent RM review. Finally, though all regarded risk
registers as an important tool for analysing and prioritizing risks, they seldom used them.
Similar variations in RM framework operationalization was also found in Australian LAs
(Barrett 2005; CPA Australia 2002). These findings together reflect Ahrens and Chapman’s
(2007)’s warning that context matters.
Recent research includes the organizational environment impacting RM framework
implementation and practices. Organizational culture is a key determinant, for example in audit
5
committees and at executive level (Office of the Auditor General Victoria, 2004), with a third
of the public sector organizations lacking a tradition of explicitly identifying and assessing key
risks. Further, Barrett (2005) noted public sector organizations’ organization-wide RM was
hindered by a culture of relying on a particular individual to manage risk. Further, Mikes (2009)
identified two organizational cultures – quantitative enthusiasm and scepticism in risk
measurement and modelling. Quantitative enthusiasts are dedicated to precise risk
measurement, while quantitative sceptics envision possible future risk scenarios. Collier &
Woods (2011) instead categorize organizations’ RM culture into three types: ignorance, tacit
recognition and cultural embeddedness.
Besides culture, researchers examine how other contingent variables (including government
policy, information and communication technologies (ICT), organization size and risk experts)
influence RM practices. In a case study of UK’s Birmingham City Council, Woods (2009a)
examined the effect of three contingent variables on risk control systems, finding: (i) central
government policy drives LAs’ objectives, their achievement of policy targets and determines
their resource availability; (ii) organization size affects the level of formalization of risk
controls (e.g. documented systems, specialists and ICT), while (iii) ICT (specialist software)
collects risk information and monitors risk performance. Arena et al. (2010) and Mikes (2011)
also find ICT to be explanatory for differences in risk management practice. Collier and Woods
(2011) extend Woods (2009), finding that past experience also affects RM implementation,
and Mikes (2011) highlights risk experts’ roles in RM culture variations.
Acknowledging a variety of RM practice, some researchers focus on examining RM
consequences/effects. According to Power (2005; 2007), the ambiguity of RM definitions
enables actors to use RM as an empty canvas to pursue their own interests. He further contends
that organizations use established RM frameworks to manage first order risks, but RM efforts
are multiplied through the creation of second order risks relating to public blame and
reputational damage. Sophisticated RM procedures and frameworks limit RM to easily
auditable signals, which lead to organizational myopia and defensiveness and the ‘risk
management of nothing’. Vinnari and Skærbæk (2014), empirically examined the effects of
RM in a Finnish municipality finding that:
…riskmanagement,ratherthanreducinguncertainty,itselfcreatedunexpecteduncertaintiesthat
wouldotherwisenothaveemerged.Theseincludeuncertaintiesrelatingtolegalaspectsofrisk
managementsolutions,inparticulartheissueconcerningwhichtypesofdocumentareconsidered
legallyvalid;uncertaintiesrelatingtothedefinitionandoperationalizationofriskmanagement;and
uncertaintiesrelatingtotheresourcesavailableforexpandingriskmanagement.Moregenerally,
6
suchuncertaintiesrelatetotheprofessionalidentitiesandresponsibilitiesofoperationalmanagers
asdefinedbytheframingdevices(p.489).
Similarly, Wang et al. (2016) find that mitigating risk through diversifying inter-firm alliances
unexpectedly resulted in damaging trust between partner firms.
Prior accounting research significantly contributes to our understanding about how: a) risks
ought to be managed; b) risks are actually managed in different contexts; and c) risk
management may generate unexpected outcomes. However, three assumptions may limit our
understanding about organizational RM. First, prior research limits interactions, assuming that
one contextual variable exercises agency and affects RM actions independently of others. Yet,
much research argues that interactions equip variables with agency to act (Chua 1995;
Jørgensen and Messner 2010; Mourtisen and Thrane 2006). Therefore, instead of focusing on
and amplifying single variable effects, it is necessary to analyse the interactions of multiple
local variables on RM practices.
Second, much RM research ignores context, assuming that RM practice independently exists.
However, Ahrens and Chapman’s (2007) call for studying the ‘situated functionality of
accounting’ and management control systems, implying that RM practice emerges from chosen
frameworks and interactions between organizations’ contextual variables. That is, risk
management practice and so-called contextual variables are necessary constituents of each
other’s existence.
Third, prior research implicitly assumes rationality drives RM practices due to people’s
intellectual and reasoning skills, informed by ‘best practice’, technical analysis, experience,
expertise, or culture etc. It assumes that these rationalities are ‘invisible hands’ ultimately
driving RM practices. However, social science theorists argue that feelings and emotions
(people’s cognitive status) may conflict with rationalities (Boedker and Chua, 2013). As such,
focusing on rationality and ignoring people’s cognitive status does not allow a holistic picture
of organizational RM.
SCHATSKI’S SOCIAL SITE ONTOLOGY
To understand holistically how LAs organize and practice RM, we employ Schatzki’s (2001a,
2002, 2012) practice theory. Ahrens and Chapman (2007) and Jorgenson and Messner (2010)
argue that Schatzki’s social site ontology can link accounting to organizations’
operationalization of their objectives, helping uncover the “situated functionality” of
7
management control practices. As such, Schatzki’s practice theory is pertinent to explain
accounting and RM in public sector organizations, providing a useful lens to examine LAs’
everyday activities and how they interact, respond, converge, or deviate from RM objectives.
According to Schatzki’s (2005) practice theory, organizations are sites comprising a set of
practices. Practices are unique, differing from each other, but intelligently coexist and connect
to each other. Given that public sector RM involves routinized processes of adopting,
implementing and using certain ERM (Crawford and Stein 2004; Collier and Woods 2011);
continuous controversies between a variety of actors (Mahama 2007; Callon et al. 2007); the
reliance on personal and organizational culture (Mikes 2011) and the mobilization of
inscriptions and other material devices (Vinnari & Skærbæck 2014), it is reasonable to believe
that ERM is one such practice within the site of organizations. Figure 1 shows Schatzki’s
elements.
Figure 1: Elements of Schatzki’s social site analysis
Schatzki (2002) argues that any practice (including RM) comprises a nexus of actions and
material arrangements which often follow a certain order to sustain (for example) RM
practices. These actions residing in a practice are organized by three phenomenon: rules,
understandings and teleo-affective structures, as now described.
For public sector RM, rules could be an external framework or internally developed ‘best
practice’. These rules become legitimated instructions about managing risk in principle, to
achieve organizations’ objectives (e.g. accountability and efficiency). Rules prescribe how:
risk is evaluated, considered in decision making, or RM frameworks are applied and/or
complied with. However, ambiguities exist. For example, when step-wise rules are
unsuccessful (Bromiley et al. 2015), deviate or even conflict with people’s beliefs about RM,
they may rely on their own (rather than organizational) understandings to operationalize RM.
These understandings depend on people’s training, education and experience, and prior
knowledge of similar events. As a result, RM rules may be practiced differently within the
same organization - obeyed by some; modified by others or even violated.
PracticesinSchatzki’sSocialSiteAnalysis
Teleo-affectiveStructures:(i)teleology(goals/means),
and(ii)affectivity
Understandings Rules
Actions:achainofactionsthathave-(i)commonalitiesand(ii)orchestrations
(i)humanbeings(ii)artefacts
(iii)otherorganizations(iv)things
MaterialArrangements
8
In addition to understanding and rules, teleo-affective structures are Schatzki’s third element
under actions, comprising teleology and affectivity. Teleology embraces ends (e.g. personal
promotion, organizational goals). To achieve these ends, staff/management must pursue and
execute their assigned RM tasks. Affectivity refers to emotions (e.g. love, fear, anger,
happiness) that arise when executing a RM task. Affectivity likely affects the achievement of
the teleological ends (Boedker and Chua 2013), indeed teleology and affectivity interweave
determining participants’ attitudes or commitment to operationalizing RM. Teleo-affective
structures may be affected by RM rules and understandings: “understandings, rules, ends, and
tasks are incorporated into participants’ minds via their ‘mental states’; understandings, for
instance, become individual know-how, rules become objects of belief, and ends become
objects of desire” (Schatzki, 2002, p.480). As such, RM becomes more than RM frameworks,
relying on RM culture or deploying technical analysis; as rules, understanding and teleo-
affective structures mutually affect the RM practice in public sector organizations.
According to Schatzki (2002), actions are inter-related through: (i) chains of actions and (ii)
commonalities/ orchestrations. “A chain of actions is a sequence of actions, each member of
which responds to its predecessor (or to a change in the world the latter instigates)” (Schatzki,
2002, p. 472). For example, management may design a set of RM rules and require these rules
to be followed to meet their aim of achieving certain public-related objectives. Furthermore, as
people participate in one another’s actions, they respond to one another (Karl et al. 1993). If
they agree, understand and appreciate one another’s actions, they are likely to develop shared
understandings (commonalities) of the meaning of risks and how such risks should be
managed. For Schatzki, it is critical to examine how commonalities develop and for us to
examine how these shared understandings characterize collective RM practice. Nevertheless,
if participants disagree with each other, having different interpretations about what risks are
and how risks should be managed, these orchestrations allow them to interpret rules differently
as they find pertinent. However, orchestrations may replace existing commonalities. Schatzki
(2002) encourages us to examine how different people contextualize and react to common RM
tasks in their everyday practices.
Shatzki (2002) simultaneously recognizes the importance of material arrangements in linking
to chains of actions. He defines material arrangements as human beings, artefacts, other
organisms, and things that comprise the setting within which people act. That is, material
arrangements connect and mediate different actions. For example, risk management officers
(human beings) connect risk actions at different organizational levels/departments when
9
involved in the same RM task. Also, accounting formulations (artefacts) create a space of
‘intelligibility’ that highlights the financial importance of RM activities. Commonalities occur
due to the imprecise accounting formulations, with orchestrations allowing those with different
interests to freely express their opinions, and promote innovations (Jogenseen and Messner
2007). Ahrens and Chapman (2007) show how accounting calculations as artefacts, facilitate
the mutuality between the strategic financial objective and local shop-level operational
practices in a UK restaurant chain. Accounting (inscriptions) even can help promote and
circulate certain emotions through the organizations, which fuse each individual organizational
members’ efforts to achieve certain common organizational objectives (Boedker and Chua
2013). Translated to the RM context, Schatzki (2002) encourages us to examine how material
arrangements organize multiple actions in a certain order and sustain commonalities and
orchestrations among RM actions.
RESEARCH METHODS
The case study method was adopted for this research as it facilitates the development of a
deeper understanding of complex social phenomenon, such as the practice of RM and its
constitutive elements (Woods, 2009b). Case studies are particularly useful for an inductive
approach where theory is used to explain empirical observations about management accounting
practice (Woods, 2011). In fact, Schatzki (2002) suggests that researchers should build
understanding of their setting through interacting with organizational participants, observing
what they do, and understand their practices, again indicating a case study approach.
A key component of case study research is the interview, especially in this research, with novel
issues (Horton, Macve, & Struyven, 2004). Following Nama and Lowe (2014), theory does not
exclusively guide interview questions in our study, as the RM literature also informed our
approach. Further, questions remain relatively open to allow for other important aspects
(Walsham, 2006) so that interviewees could develop issues and “think aloud” about particular
concerns. This approach also facilitated the generation of supplementary questions for use in
later interviews, based upon key issues identified by staff working within each organization.
Further, we observed two public meetings in which top managers and councillors discussed
risk-related issues and RM. This validated and enriched the authors’ understanding of how the
actors conduct RM practice within a ‘site’, especially in a formal setting in which different
actors interact with material arrangements (such as risk reports, PowerPoint, meeting room
10
facilities). It also illuminated how participants interpret rules or express their practical
understandings, enabling the researchers to ascertain any shared general understandings and
the extent to which such understandings are accepted within the organization. Further, data
from interviews and observations are triangulated with documentary sources, such as websites,
annual reports and risk documentation. This latter source particularly aids the understanding of
rules and teleo-affective structures governing the practices. Data triangulation increases the
validity of findings (Yin, 1993), and in our particular study, enables us to explore the four
components of the site ontology organization framework and how they relate in constituting
RM practices.
SelectionofParticipants.
Through 18 in-depth semi-structured interviews with staff from the Wellington City Council
and the Christchurch City Council we sought to understand how the RM framework operates
in each local authority, how risk is identified, what risk reporting takes place, the extent of
integration of RM into day-to-day activities and how RM affects staffs’ behaviour and
motivation. The list of the interviewees in the two councils is provided in Table 1.
Table 1: List of interviewees
Wellington City Council (WCC) Christchurch City Council (CCC)
Mayor – MY Deputy Mayor – DM
Chief Executive – CE A Councillor – CC1
Former head of the Risk and Audit Committee - RAC Not available for interview
Risk and Assurance Manager - RAM Risk and Assurance Manager – RAM
Three General Managers
Director Strategy and External Relations – GM2
Chief Operating Officer – GM3
Chief Asset Officer – GM1
Two General Managers
Acting General Manager City Environment – GM1
Manager – Earthquake Rebuild and Repair – GM2
Two Business Unit Managers
Library and Community Spaces Manager - BU1
Manger of Building and Resilience – BU2
Two Business Unit Managers
Principal Advisor – Natural Resources – BU1
Business Support Manager – BU2
FINDINGS
11
Overview of RM practices within the two LAs
Below we outline the practices involved in the key RM activities and processes within the two
LAs; highlighting event identification, risk measurement, evaluation, treatment, review and
communication as shown in Figure 2.
Figure 2: Risk Management life-cycle
In terms of Shatzki’s framework, the risk management life-cycle can be considered as shown
in Table 2.
Table 2: An analysis of Schatzki’s social site analysis and RM
Actions Teleo-affective
structures (means
to an end)
Understandings Rules Material
Arrangements
Risk
Identification
Goal: to identify
risk
What is it? ? Roles and Role
description
Risk
Measurement
Goal: to measure
possible future
impact of risk
What might be the
impact?
Decision
trees
Risk matrices
Accounting as a
calculative
practice
Risk
Communica
tion
&Revie
w
RiskTreatment RiskEvaluat
ion
Risk
Measurem
entRiskIdentification
12
Risk
Evaluation
Goal: to prioritise
risks that need
treatment
Whose risk is it? Enter into
Risk
Register
Risk register
Financialization
of risk
Risk
Treatment
Goal: to mitigate
risk according to
risk tolerance
How can risk be
reduced?
Internal
controls
Insurance
certificate,
accreditation
Rick
Communica-
tion/ review
Goal: to embed risk
management
through
organization
Who is
responsible for
risk?
Communi-
cation
rules/
Periodic
review
Hierarchical
structure
Local Government in New Zealand
LAs represent a significant subset of NZ’s public sector, comprising 11 regional councils and
67 territorial authorities. The 67 territorial authorities include 12 city councils (with an urban
population over 50,000), Auckland Council (an amalgamation of 8 cities), and 54 district
councils (Department of Internal Affairs, 2014). Regional councils and territorial authorities
undertake complementary functions, rather than being two levels of sub-national government
(Pallot, 2001). Regional councils’ core function is environmental management, whereas
territorial authorities are responsible for a wide range of local infrastructure services including:
water supply, sewerage, storm water, roads, environmental safety and health, and building
control (Department of Internal Affairs, 2014). LAs must be financially autonomous and, apart
from grants for road construction and maintenance, receive very little funding from central
government. Their revenue derives primarily from property taxes (rates) and user-charges
(Pallot, 2001), and they are required to be accountable to their ratepayers and other stakeholders
(Local Government Act, 2002). To do this, the LA must prepare a Long Term Plan (LTP)
covering ten years, an annual plan and report (Local Government Act 2005). These documents
include financial and non-financial (service performance) reports. Unlike, for example, the
United Kingdom, LAs are not considered to be controlled by government. In New Zealand, the
election cycle is every three years by postal ballot. Further, while the political parties may
support candidates in local body elections, the majority of candidates are independent. This
means that party politics play a smaller role in New Zealand than in other countries.
13
Wellington City Council (WCC)
The WCC is a territorial authority in the Wellington urban area of New Zealand. Its sixty
officially defined suburbs are represented on Council by five wards. With a population of
204,000 it is NZ’s third largest city. It has NZD6,306 billion in public equity. Its funding rate-
payers and the general public expect it to use public money to provide public goods.
Evenifthefundingwasn’tratefundingforusinoursituation,butwewereprovidingpublicgood,there
isaneedandexpectation…Ithinkcharityorganizationsprobablyhaveasimilar…It’syou’veset
yourselfupandyourorganizationupwithacertainbenchmark…wewillengageandconsultwithyou
onwhat’shappeningwiththemoney,y’knowwewillhavetransparency…Someofthatislegislated
butsomeofitisapublicexpectation.(GM3,WCC)
Despite this public expectation and the desire to perform, the political election cycle prevails:
“so we have a real tension here in local government between managing infrastructure with
long lives and a very short political timetable” (GM1, WCC), resulting in not “getting
investment in the right places”. Yet, RM requires a long term view rather than the election
cycle’s short term view. The RM cycle is now discussed.
Risk identification aims to identity strategic risks (a teleology). However, due to ambiguous
rules, this task focuses on factors that might hinder organizations’ goal achievement rather
than opportunities. The understanding of pervasive risk differs according to material
arrangements such as roles and role descriptions. “The Senior Leadership Team, they decide
on the 30-40 key strategic risks, they go up to the Risk and Audit Committee on a six-monthly
basis” (GM1, WCC). The Risk and Audit Committee, based on their own experience and
interpretations, then decide what of these risks really would pose threats, enter them into the
organizational-wide risk register (another material arrangement), which they and the top
management monitor. The Senior Leadership Team finally distils possible strategic risks into
three strategic risks which are clearly defined as “events that affect the achievement of
organizational objectives” (GM1, WCC) both short- and long-term.
Political risks are the prime concern, especially at the top management level, indeed “Probably
everything in a Council in some way is political but some of them are directly overtly political”
(RAC, WCC). LAs’ organizational objectives differ from the private sector “… it’s about
taking into account where the organization is trying to get, what its priorities are, what its
vision is. It’s about (in a place like this) politics” (CE, WCC). Specifically, politics affects
14
many issues such as “your processes don’t seem consistent or robust or something small like
that” (GM3, WCC). When processes pose a risk, such rules impact risk identification.
Second, with Wellington’s vulnerability to earthquakes it is accorded strategic importance:
“how you respond and how you might recover from a major one” (CE, WCC); “in terms of risk
to buildings from an earthquake, we have known about the earthquake risk to Wellington for
thirty years so the building code has reflected that in its design standards” (BU2, WCC).
Third, economic growth was also a frontal concern of WCC’s Councillors and top Managers:
“Our commercial rating base, the value of our commercial rating base has been static for five
years…so that’s probably the biggest risk we face” (GM1, WCC); “there are a number of
economic threats, one is businesses moving out because of fears of economic resilience,
another is we are not seen as attractive and friendly for businesses…” (MY, WCC).
Building on these three, health and safety, and finances are key risk areas:
“…becausethereisquitealotofriskinthenatureofworkthatstaffundertakeandIguesstheother
areaisinthefinancialarea…Imeanthemoneygoingthroughtheorganization…”(BU1,WCC).
Staff are encouraged to identify such risks by their managers (as detailed further below):
Yes,theywillinfluencedbysomething[arisk]identifiedandthereareactionsexpectedofthem.I
don’tthinkthereisanydoubtaboutthat,becausetheyknowthatcascadesthroughtoperformance
assessmentofthemindividually,allsortsofthings.(RAC,WCC).
For risk measurement, WCC adopts a “heat map across all projects and initiatives
[calculating] …a number which heat maps it from red down to orange down to green” (GM3,
WCC). High risk project-specific issues are referred to that project’s steering group to
undertake mitigation measures or reform extant (mitigation) controls.
In risk evaluation the matrix or heat maps whereby risks are ranked but are now seen as “just
a tool we could use to kind of roughly get things into the right place” (RAC, WCC). Here, top
management is changing the rules to instil a culture of opportunity-thinking within the
organization, because: “if none of us ever got anything wrong we would never achieve
anything…risk is actually more than [failure] isn’t it…because it’s about opportunity” (GM3,
WCC). Thus, the teleological structures oust the rule-compliance approach and prefer
qualitative understanding and judgement, although it is recognised that :“probably a few people
before preferred the boxes and we could laugh at ourselves that we got it all precise” (RAC,
WCC).
Furthermore, meaningful risk quantification is challenging, can hinder understandings, and
bring the need to integrate risk management in organizational activities, as noted:
15
…it’stheharderoneforpeopletogettheirheadaround,thatoperationalorstrategicriskbasis,it’s
hardtoassociatenumbersto…y’knowtheevents,thecontrolsoversomeonerippingyouofforwhose
reallygoingtohaveanxintomyworkspacearehardertoactuallyreallyquantifyandmake
meaningfultopeople.(WCC,RA)
This deliberate choice focuses less on accounting as a material arrangements and more on
judgement as an understanding. It is also a change in the type of quantitative assessment
involved. Previously, WCC managers identified the consequences and likelihoods as well as
mitigation strategies; “then we would come up with kind of what we called a residual risk”
(WHO SAID THIS?). However, this residual risk matrix unintendedly diverted mangers’ focus
from mitigation strategies. So the accounting quantification has been modified, no longer
measuring residual risk, but: “focusing on the raw risk without taking all the factors into that
raw risk then putting more priority on the mitigation strategies [to manage risk] … down to
an acceptable risk for the Council” (SAID WHO?). As accounting is reconstructed to reflect
the practical understandings, WCC moves from rule-compliance (“a little bit less driven by
ranking and the matrix”) to understandings-based (“a bit more by kinda what is qualitatively
the level of risk we can put in place”) (RAC, WCC). Despite the residual risk remaining after
mitigation, management and staff agree that it is “not possible to define that in a quantitative
way” (MY, WCC), but depends very much on the people involved.
Projects must include an underpinning business case that evaluates all risks, and not merely:
“recycle the stuff they have done from the previous project…rather than actually thinking about
the risks and opportunities” (WCC, RAM). Rather than risk evaluation being a legitimation
tool (to get the boxes ticked), managers now understand RM can facilitate decision making.
Moreover, for operational risks, individual managers must understand “what the business is
trying to achieve, what is the business process, and doing the risk control side of it” (RAM,
WCC). With numerous priorities this is flexible, hence the GM notes: “Every time we have a
spare dollar we should commit that to the economic development space… ”.
WCC’s Risk treatment mirrors the NZS 4360:2004 RM Standard. WCC adopts a teleological
structure of “three lines of defence”. First, staff and managers should take ownership and
demonstrate accountability for risks, with staff reporting risks to their business unit managers.
The second line of defence involves the Risk and Compliance team, being responsible for
developing the RM framework, monitoring risk registers and reports, undertaking risk reviews
and monitoring RM controls, as well as reporting to the Executive Team and Management
Committees. Internal audit is the third line of defence, providing assurance and oversight of
the prior lines of defence, through reports to the Audit and Risk Committee. Nevertheless, our
16
interview data suggests high reliance on the Risk and Compliance Team by business unit
managers who appear reluctant to take ownership of operational risk issues.
Risk treatment focuses on: “having the right systems in place and the right processes to manage
[it]…to be clear about what the risks are and to try and manage it in a sensible way” (CE,
WCC). However, defining the acceptable level, or risk appetite as a core aspect of this
teleology, depends on the senior management team who use an “open judgemental” process
(CE, WCC). Such ambiguity enables multiple interpretations (or rules) and allows staff to
undertake different actions or decisions, without causing conflicts or disorder within these
social practices. A manager from WCC highlights this in relation to a common goal of zero
risk tolerance:
…evenifyougetatolerancelevel,ifyouhave[aminor]exceptionpeoplewilloftenstartthrowing
morecontrolsinplacebecauseyouhaveoneexception,whereactuallytheoneexceptionmightbe
withinyourtolerance.(RAM,WCC)
As rules, internal controls are integral to risk treatment, and in WCC this occurs through: “the
process owners, knowing their process and putting their internal controls in place” (RAM,
WCC).
Andthereisalsoanincreasingintegrationofriskmanagementthroughoutthewholeorganization…so
whilstthosepeopleatthebottom(notagoodterm),whilsttheydon’tunderstandwhatthetermis,
theyknowwhattheyhavetodoasfarashealthandsafety,asfarasbusinesscontinuity,asfaras
makingsuretheyhaveacalltreeinplaceandallthosekindofthings”(GM2,WCC).
Nevertheless, current practice of integrated RM and decision-making is considered “patchy”
with awareness varying between business units and management levels. In WCC, clearer
understandings exist for project planning than everyday decision making. Further, as managers
do not demonstrate ownership and commitment to risk thinking at an operational level, this
weakens the teleo-affective structure (the accepted attitude and mood). By transferring
responsibility to the risk team, managers delegate risk-related decisions inappropriately (RAM,
WCC). However, enforcing internal controls (rules) increases risk embeddedness in
operational decision making.
WCC’s risk treatment is inherently linked with performance targets and the risk tolerance level.
This can result in a functional manager implementing measures to avoid the risk of not
achieving an unit’s target, by over-resourcing and lowering his/her risk tolerance level. This
could occur in a call centre with a targeted maximum answering delay. If the manager staffs
for a full eight hours at the levels to reduce the risk the target will be exceeded in the peak
hours they incur more costs but to achieves the unit’s target. Instead, a “conscious risk
17
management would be saying should we actually think about reducing our level of service to
hit our targets” (WCC, RA). Hence, accounting (i..e target setting) should lead to a focus on
continuous improvement and performance management. Simultaneously, it causes tension in
RM teleology, between “what we really want” (enhanced performance) versus “what is
acceptable” (risk tolerance level- acceptable performance) with significant implications for
resourcing and managerial behaviour.
Risk communication represents an effective channel to further embed RM throughout an
organization, especially when it is underpinned by an appropriate communication hierarchy (a
teleo-affective structure) and is transparent. The WCC interviewees are confident that risk
communication is honest and open: “we are not trying to hide anything so I think that’s
positive…people trust what we are saying…we’ve been really up front” (GM3, WCC).Within
WCC, risk information is collected and discussed at the lower level, and fed hierarchically.
“They would go to the unit manager concerned, or it could go to a team leader depending on
what the risk was and what the project was and what the impact [is] going to be” (GM3, WCC).
Theydoitthroughthenormalorganizationalprocessfeedingupthrough,obviouslythroughthe
organizationstructure…[I]alsotakeanapproachofhavinginmyriskmanagementteam,people
whofocusontheparticularareasofthebusiness,andsotheythenprovideameansofquestioning
andchallengingandallowingperhapssometimesthoseissuestocomeuptothesurface.(RAC,WCC)
On the contrary, agreed plans are communicated downwards from General Managers through
to staff at lower levels. Within the business units, on-time communication of risk issues is
facilitated through team-based call trees, group texts in the case of emergency, intranet posts,
and emails.
Effectively communicated goals matter to people. For example, following two recent
workplace, health and safety is important. The WCC has developed “a really simple emotive
statement, ‘everyone has the right to go home from work’” (GM2, WCC), touching people’s
emotions, to internalise health and safety prioritization. This intertwining of affectivity and
teleology can be a strong mechanism, creating sharedness in RM practices through joint
understanding “between ends, projects, uses (of things), and even emotions” (Schatzki, 2002,
pp. 472).
Externally communicating risk is unlikely to include accounting data to instigate public
discussion, rather in consultations:
…therealissueis‘arethenumbersgoingtowork’and‘areweasmanagerspreparedifthepublicis
againstthosesortofthings’.…Butthat’snotariskissue,that’sapoliticalmanagementissue.I
acceptthatandthat’spartofit.(WCC,CE)
18
Risk indicators however, enable internal risk reporting and communication and are integrated
in an organization-wide balanced scorecard, being reported monthly alongside financial and
other performance data.
Through risk review, material arrangements include “regular meetings throughout the year …
when the leadership team all gets together … to pool [ideas] and chew them around” (CE,
WCC). The balanced scorecard enables these discussions as:
…we…lookatwhattheweightingsare,whattheprioritiesare,dowehaveanythingthatneedsto
comein,dowehaveanythingthatneedstogooutsoyoudoallofthat”(WCC,CE).
Consequently, they attend to not only risks listed in the risk register and risk management plans
but also emerging risks that can threaten performance and achievement of organizational
priorities. These inform their discussions with councillors (CE, WCC). Hence, there are plans
to integrate risk review to enable management to make timely decisions in response to achieve
performance targets:
GoingforwardIwanttogetthingsaroundlinkingittotheLongTermPlan,linkingitthroughtowhere
ourleadandlaggingindicatorsareandpressurepointsthatmightbepoppingupinthesystem,
makingsureproactivethingshappen…tomakeitusefulasamanagementtooltoactuallygivethem
ideasastowheretheyneedtofocustheirattentionsontomanagetheirbusiness.”(GM,WCC)
Further, in accordance with the three lines of defence, the risk team undertakes an annual audit
of the RM framework and risk profiles, updates mitigation strategies and examines their
effectiveness. They review major or strategic risks holistically, but to ensure the objectivity of
their opinions: “…we make sure we don’t get into the minutiae of performance measurement,
both for the organization and for individual staff members...” (RAM, WCC).
Accounting and management controls, as material arrangements, play a critical role in various
risk management activities.
Regardless of these material arrangements, it is uncertain whether risk is embedded :“I think
the issue is how embedded is it, and when you get something like the parking contract how do
you actually do your evaluation, you know, is it embedded in something like that..” (WCC,
CE). Similarly, the RAC commented regarding the effectiveness of risk in instilling awareness
and response in individual staff and managerial thinking “do we have any evidence of
that…no”. Again, the integration of risk indicators in performance measurement and reporting
and evaluation can be simply “too much lip service” and “a lot of box ticking”. The CE
commented that:
19
Ithinkamuchbettermeasureisnotwhetherthereisaconversationinanannualappraisalbut
actuallywhathappenswhenyougetaproposalforwardandhavetheyactually…takenriskonboard
ornot…it’sprettyobvious.…Frommeit’saboutthespiritratherthantheletterofthelaw.
Hence:
…performanceplansarestructuredaroundthreecoreattributes…oneofthoseisaroundtheCouncil
values,andtwooftheCouncil’svaluesprobablyrelatedirectlytoriskbeingthatensuringintegrity
andrespectandaspecificonearoundhealthandsafety.Soeachemployeeisrequiredto
demonstratethreeactivitiesortaskstowardsachievingthosevalueseachyear.(GM2,WCC)
We now turn from WCC to Christchurch City Council’s processes.
Christchurch City Council
The CCC is the territorial authority for the urban area of Christchurch, comprising 13
councillors elected from seven wards. It manages NZD7,081 billion in public equity and has a
population of 366,000. Christchurch suffered a number of devastating earthquakes during 2010
and 2011, involving significant loss of life and property damage to the central business district.
The Canterbury Earthquake Recovery Authority (CERA) was established by central
government to co-ordinate the demolition and rebuilding of Christchurch. The earthquakes
caused CCC to lose significant rating revenue, experience significantly increased workload,
and forces it to coordinate with CERA. These factors significantly impact the council’s
approach and attitude to RM, as now presented.
CCC’s major risk identified was also political risk, labelled as reputation risk from
“respond[ing] not in the correct way...there is a reputational risk to the organization” (GM1,
CCC). Yet, the understanding is limited to the post-earthquake rebuild: “if the city rebuild does
not happen on time, it affects the reputation of the council” (GM1, CCC). Indeed, the CCC
interviewees focus on short-term, or recent risk events such as earthquakes and the
consequences, the city rebuild, and timely building consents, rather than anticipating future
risks. Audits and performance reviews cement this: “we also have a lot of audit that goes
on…so that identifies risks and they need to complete…they need to solve those risks” (BU2,
CCC).
The earthquakes have increased people’s risk awareness: “At a work level I think people are
more conscious of the risk management issues because of the tighter constraints in which the
Council is now working under” (BU1, CCC). People talk about earthquakes, what happens
20
prior to, and what happens post-earthquake. Operations are organized around earthquakes, e.g.
on rebuilding city infrastructure– which buildings become material arrangements, showing the
success of short-term risk management.
To manage political risk, CCC may concentrate their efforts on economically unviable projects
(as shown by material arrangements - cost and benefit analyses and economic modelling), . It
is a “public relations exercise” of “being seen as doing something”. For example, CCC
relocates houses within the red zone2 instead of demolishing them.
Well…fromapuristperspectivethereturnoninvestmentorcostbenefitindoingredzonerelocation
isn’tthere…theywouldbebetteroffstartingoffandbuildingnewhouses…yeah…[but]itisscreaming
righthere,rightnow,there’sahousingcrisisinChristchurch,it’sasimpletheorythatyoushouldbe
abletoapply,pickupahouseandmoveitsomewhereelsethatdoesn’tcostmuchmoneyandweget
somebodybackintothehousewhenitwouldhaveendedupinthelandfill(CCC,GM2)
Simultaneously, in an example of an approach to RM that focuses on “critical imagination of
alternative futures” (Power, 2009) is indicated by an interviewee:
Thereisnobetteropportunitythanhavingalargeeventtore-considerallofthesethingsandthe
governmenthasalsodoneitwithschools.Youdon’toftengettheopportunitythatwehavegotnow
toreallylookatthecityasawholeandmakesomeofthosedecisions.(BU1,CCC).
Nevertheless, there is “no culture” around risk identification, and RM has seen minimal culture
change:
No,notobehonest,unlessit’sactuallyforceditwon’tbeacceptedintheshort-termoreveninthe
medium[-term].Myjobisoftenaboutrecordingrisk,identifyingrisksandreportingrisksbutthe
abilitytoacceptthoserisksorevenactivelymitigatethoserisks,rightthroughtoseniormanagement
isoftendisregarded.(RAC,CCC).
Power (2009) suggests that rule-based compliance can imprison organizational thinking.
However, these rules can comfort and assist in avoiding blame. Consistent with this, CCC uses
ERM compliance to manage political risk:
…Sothenwhenwearecriticisedforsomething,wecansaythisistheapproachwehavefollowedand
rightlyorwronglythesearetheconclusionsthatwehavereachedbutyouneedthattobeableto
showpeoplethatyouhavefollowedaprocessandit’snotjustsomethingwehavejustthoughtup.
(BU2,CCC)
Messingupisfineyoujustneedtoshowtheprocessthatyouhavefollowedtominimisethatandif
youcandemonstratethatthennormallyyouareokay.(BU1,CCC)
2Redzonesareresidentialareaswhere“the land has been so badly damaged that it’s unlikely it can be built on over the short to medium term” or where “ there is life risk posed by rock fall and/or cliff collapse, and land slips” (LINZ, 2013) LINZ, 2013. Residential red zone areas. Available: http://www.linz.govt.nz/crown-property/types-crown-property/christchurch-residential-red-zone/residential-red-zone-areas. Accessed 16 August 2016.
21
For risk measurement, CCC adopts a “standard [matrix]3 system in terms of identifying the
risk, identifying the likelihood and the impact and scoring and ranking, each of those” (GM1,
CCC).
Risk evaluation utilises the rule-based matrix system to differentiate low, medium, and high
risks. ‘High risks’ are escalated hierarchically upwards from lower to top management levels
where: “they are amalgamated … group-wide or overall organization-wide” (GM1, CCC).
Nevertheless, there is little RM integration at lower levels where: “it happens by sort of good
luck rather than good planning” (BU1, CCC). Staff see RM as “an extra thing they have to do”
and for some it is a negative enforcement “oh god we need to do a risk management assessment
or something, so we will go through and tick box” (BU1, CCC). Previously, only projects
considered to be strategic risks required risk assessments were not necessary, leading to a
piecemeal approach which is evident across CCC:
Anumberofindependentauditshaveidentifiedthatweareextremelysiloorientatedasan
organization.Sowhatyouhavethere,isifanareaofriskidentifieddoesn’timpactoneparticular
groupmanager,itisnotconsideredimportant,ratherthan[themconsidering]asanorganization
howdoesthisriskneedtobedealtwith.Sothatreinforcestheoperationalfocusanditdilutesthe
sortofstrategic,collectiveresponsibility.(RAU,CCC)
Schatzki (2002) states that understandings are widely accepted within a site and so this lack of
“strategic, collective responsibility” will drive CCC practices. Indeed, a new capital
prioritisation system requires business cases carefully quantifying cost benefits of each
project’s “value for money”, to shift away from a “spending the budget” mentality. However,
despite business cases assisting in project selection to achieve organizational objectives, “there
was a real reluctance to put data into the system” (RAM, CCC) and it is often not used. Thus,
accounting does not play a critical role.
Wehaveastrongoperationalfocusintheorganizationwhichishistoricallyquiteright,becauseitis
aboutdeliveringthings,butumpeoplestillhavetheattitudeofspendingthemoneytheyhave
budgetedratherthanhowdoIdeliversomethingandthenlookatthebudgetissuesafterthat.It’svery
muchIneed$25milliontobuildalibrary…[anda]$25millioncheque,y’knowfundisavailableand
peoplegoawayandbuildalibrary…Thatisverymuchthemind-setthatpeopleareoperatingtoand
thathasbeenaroundforanumberofyearsandit’snotuniquetoChristchurchthat’sthewayithas
alwaysbeen(CCC,RAM).
Hence despite its potential, accounting fails to change the disconnection between the mentality
(the current status) of using up the budget and the teleology (managing and minimising all the
risks that can threaten the organization’s achievement of its objectives).
3 This is the standard 5x5 matrix with probability and consequence on each axis. Probability: rare, unlikely,
moderate, likely, very likely. Consequence: insignificant, minor, moderate, major, and catastrophic.
22
With limited resources available, it seems obvious that CCC must change its understandings to
consider the costs and return/benefits gained from projects. However, there was reluctance and
lack of understanding across the organization regarding the “the financial risk, the financial
value for money”. The lack of this analysis hinders risk identification. For example, the council
must borrow NZD10 million from the public to fund a private property development, but will
receive no return. The risk and assurance manager argued that “we are getting no bang for our
buck and it’s an extremely risky proposition”, but that managers and councillors lacked
“understanding or even acceptance that this is a viable risk”’.
However, the Local Government Act may change beaviour. The RAM notes it has.
…frequentreferencesaboutCouncilsneedingtodemonstrateefficiencyandeffectivenessintheway
theyproduceservicesandconductactivities…[wehavedebated]…whatthatmeans…[anddecidedit
is]aroundprovidingvalueformoney[and]requiresa,Iguessastronganalyticalviewofthe
cost/benefitofthewaywedocertainthings.
Cost benefit analysis (a material arrangement) enables internal discussions and increases
awareness of certain risks in assessing resource-consuming projects within CCC. The most
obvious are:
Financialrisksandsoparticularlyaround…ourfundingissotightthatsothis…annualprofileofour
debtversusincomemeansthatwehavetobeverysensitiveanyofthatfinancialrisksowecannot
affordtohavesloppyfinancialmanagement….(CCC,RAM)
Therefore, the business case requirement referred to above not only stems from the
interpretation of the Local Government Act, but is also “forced upon us” as it is a requirement
from New Zealand Transport Agency, and some councillors who applyl a new rule to improve
financial awareness and enhance CCC’s efficiency and effectiveness.
CCC’s risk treatment is based on the ISO 31000:2009 RM Standard. The Manager, Business
Assurance oversees implementation of this teleological framework, develops ERM processes
and methodologies, and facilitates risk discussions with the Executive Team, the Risk and
Audit Committee, and the Council. Supported by key risk managers and business unit experts,
the CCC’s Business Assurance Manager has a similar role to the Risk and Compliance Team
in WCC. However, CCC does not involve staff accountability as the first line of defence,
holding the Manager, Business Assurance primarily accountable. This role and internal
controls were seldom mentioned in interviews, with no indication that operational risk is
managed effectively, despite the teleological structure. Though secondary data details CCC’s
RM governance structure we found low awareness of risk treatment. Indeed, RM is visible at
project planning rather than implementation stage.
23
CCC’s silo mentality is expressed in managers taking localised, disconnected decisions and not
elevating risk information to appropriate management levels as the teleology expects. When
information is communicated, a lack of senior management ownership exacerbates the
problem, as exemplified when the CCC lost its authority to issue building consents.
CCC’s process of risk communication and review is similar to WCC, having a teleological
structure. Operationally a quarterly or two monthly risk review occurs, but, since the
earthquake, the: “Executive Team meets regularly every week and probably at least every other
week, [to] look at those risks.” (GM1, CCC). The review is a rule-based process of analysing
the risk register, checking the actions and mitigations, reviewing the scoring and identifying
new risks.
Becausesometimesrisksgetputonriskregistersandtheystaythereforevermoresowechallenge
whethertheriskisstillthereandthensortofchallengeourselves…havewedonethingstolowerthat
risk?(DM,CCC).
Despite this, the risk manager reflected:
ThingsIamresponsiblefor,certainlygetreportedbutyoudon’tseeanyactiveaddressingor
prioritisationoftheworktoaddressthoserisks.Itisnotvisibletome.Ihavebeentotheexecutive
team,quiteanumberoftimesonproposalsandyouonlygetinteractionfromthosethatareaffected
byit.Therestwilljustsitthereandtheywon’tconsideritordebateitorprovideanyinput(RAM,CCC)
Rule-based compliance and a teleological structure does not guarantee RM effectiveness.
In respect of CCC’s risk communication, as risk is understood to be negative, information is
not elevated. Many interviewees mentioned a recent risk event when the council lost its
accreditation to issue building consents. The lack of elevation of the risks identified, was a key
reason for the failure.
Thepointisaletter[informingthepossibilityoflosingaccreditation]wenttoastaffmemberandshe
knewaboutit,wewereabouttoloseouraccreditation<right>anditwasthefrustrationtotrytoget
thatup…Theyhavetogetoverwalls…soforsomeonetogetfromtheretotheretheyhavetoclimb
overaseriesofwalls…TheyhavetoclimbaseriesofBerlinwallstogetthere…sotheyhavetogoup
toseeamanagergetpermission…downagain…uptoseeanothermanager…”(CC1,CCC)
Furthermore, the chief executive did not utilise the teleological structure of informing
councillors, but took action to reduce fallout:
[thechiefexecutive]obviouslysaidtowhomever…‘what’syourstrategy?Is[itto]getmorestaff,can
yougetmorestaff?’,‘Yeswecan’anditwasdealtwiththereuntilreachedthepointofnoreturn.
(GM2,CCC).
Senior management was also unaware even though: “there was a clear committee structure so
on any particular issue there should be clear governance and council staff interchange” (DM,
CCC). “S-based RM” with staff attending only to risks within their functional responsibility
24
brings a corresponding lack of open communication to find solutions to manage risks. Teleo-
affective structures were insufficient as practical understandings dominated – what made sense
to do to certain managers was to keep the issues narrow (siloed), operationally-focused and to
solve them at the lower levels rather than escalating them hierarchically.
A general manager admitted that RM “seems to be almost exactly the same as it was pre-quake
in most cases”, and attributed it to the NZ (kiwi) culture “don’t know whether it’s part of being
kiwi, she’ll be right, take it in your stride, we will deal with it when it happens” (GM1, CCC).
Due to these (implicit) shared understandings, there is minimal discussion of RM specifically
at both top and lower management levels. In fact, as presented above, people see RM as a box-
ticking exercise (rule-compliance approach) rather than actively trying to acquire RM
knowledge and ownership.
This suggests that the understandings and rules regarding risk events are different between the
two LAs, with WCC considering risks more widely scoped, over a longer-term horizon and
with a forward looking orientation, while CCC is narrow focused and short-term oriented, as
summarised in Table 3.
25
Table 3: Extension of Schatzki’s Social Practice in relation to Risk Management
Actions Teleo-affective structures
(i.e. teleological means to
manage risk)
Understandings Rules
Material Arrangements
WCC CCC
Risk
Identification
Split into strategic and
operational (affected by roles
& role descriptions which are
material arrangements)
(Ambiguous)
Risk is an
opportunity
Focus on
earthquake,
economic,
political risks
Risk is to be
avoided
Focus on short
term risks from
earthquake
Enterprise-wide RM
processes
Processes to identify and
report
Roles and Role description
(Links to understandings of
what risk is & the teleo-
affective structures
Risk
Measurement
Specifically the goal is to
measure possible future
impact of risk
Likelihood &
consequence
affected by
prior
understandings
Underplays rules &
emphasises judgement
Important to follow rules
Matrices, risk maps
Mayor/leadership (links to
understandings)
Risk Evaluation Means to manage risk. Identify Strategic & operational
risks.
Enter into Risk Register
26
Goal to prioritise risks that
need treatment
Prioritise
economic risk;
Recognise
shortcomings
& need for
qualitative
judgments
A negative
enforcement
that happens
“by sort of
good luck”
Reluctance to
consider
financial risk.
Conduct business case
Rule-based matrix system
Capital priotisation
system
Senior Leadership
Team/Risk and Audit
Committee
Risk register & business
case (links to rules)
Risk Treatment Mitigate risk according to
tolerance for it
Balance risk
tolerance/
control.
Integrate
Processes are
king; feedback
unnecessary.
Low risk
awareness.
Individualistic
responses not
collective
responsibility
Internal controls
3 lines of defence
(collective
accountability)
Reliance on Manager,
Business Assurance
Election cycle – short term
Leadership
Rick
Communication/
review
Embed risk management by
highlighting/reviewing key
risks
Risk an
opportunity –
Risk is
negative and
barriers to
Frequency of review &
communication regulated
Hierarchical structure and
call tree
27
Sharing of risk register management
open to change
escalation.
Lack of
management
engagement.
Integrate risk indicators
in balanced scorecard/
long term plan.
Balanced scorecard and
risk indicators
Meetings of review team
Risk register
28
Discussion
The risk management practice within WCC and CCC comprises the actions of risk
identification, measurement, evaluation, treatment and communication/review. These risk
management actions are organized through rules, practical understanding and teleo-affective
structures. Both LAs follow similar rules that instruct the processes of adopting enterprise-wide
risk management frameworks to identify risks, evaluating the likelihood and consequence of
risk events, using risk matrices to rank risks and entering strategic risks into risk register,
applying cost-benefit analysis and requiring business cases for all risk related projects, using
internal controls to monitor the actual treatment on such risks. WCC utilises a three lines of
defence method to treat risks, while CCC appears to leave this to one manager. Complying
with these RM rules are regarded by top and operational managers in both LAs to help them
avoid blames in case of external scrutiny on possible negative project outcomes.
Similar rules of risk management are practised differently within the two local LAs, due to
differing practical understandings. In WCC, risks are considered to be opportunities to achieve
future long term economic growth, and so place the city (and elected councillors) in an
advantageous position. This promotes an open and forward-looking attitude towards
identifying, discussing and communicating risks between people of different levels within the
organization. In addition, a qualitative approach was dominant in the process of measuring and
evaluating the likelihood and consequences of risk events. In contrast, risks in CCC are
understood as negative hurdles to restoring the city of Christchurch to the prior-earthquake
conditions within a short period. This generates a conservative and backward-looking
atmosphere towards RM. As such, CCC measures the likelihood and consequence of these risks
through precise quantitative criteria.
To ensure RM compliance with rules, both LAs adopt a similar standard teleological structure:
managing risks within a pre-determined risk appetite. For each RM activity, a sub-goal can
also be identified: identifying strategic and operational risks, measuring the risk impact,
prioritising the risk according to the tolerance level, and embedding risk in business as usual
through reporting/review structures. However, within the two LAs, WCC has a stronger
teleology than CCC, as it integrates risks in performance development planning (PDP) and
performance evaluation.
All staff, irrespective of level, have their PDP tied to risk-related objectives in some way. They
must achieve these objectives in order to receive a certain grading, which would influence the
29
evaluation of their performance. This would in turn have direct impact on their salary
adjustments (BU1, WCC). Risk-related PDP and performance evaluation becomes an effective
mechanism to “hold them to account to ensure that the work they have done, they haven’t
simply made up… [that] there is personal commitment” to RM (GM2, WCC). As a result,
people of different levels within WCC are forced to practise RM on a daily basis, which helps
spread the open and forward-looking RM understanding across the whole organization. This
suggests that teleology reinforces practical understanding, which in turn drives risk
management practices:
This finding resonates with Woods (2009), Arena et al. (2010) and similar others who argue
that structures adopted and systems used in organizations would affect RM practices. While
not denying the role of teleology including structures and systems, our finding extends prior
research by showing that affections aroused by the teleology also determine people’s risk
management behaviours. That is, it is not only because of the existence of ‘cold’ teleological
structures (e.g. PDP, performance evaluation scheme or quanitative risk measurement scale
and ranking) but how such structures make the goal of managing risk ‘matter’ to what people
desire (e.g. good salary adjustments). Motivated by this affection of ‘being important’, different
people of the same and different levels are actively engaging with each other and have an open
attitude towards RM practices. In contrast, within CCC, the conservative and backward-
looking understanding triggered people’s fears of taking wrong decisions and receiving
subsequent blame. This teleology of managing risks a box-ticking activity purely for
organizational legitimatization. As a result, CCC staff attempt to downplay and dilute their own
problems, are reluctant to share relevant information with others, and, along with inter-
departmental fracture, shifting responsibility to other business units. This finding extends prior
research by showing that affections can limit the functioning of structures and systems adopted
by organizations.
Overall, through two case studies, we find evidence to support Mahama and Ming (2007),
Themsen (2014), Wang et al. (2016) and similar others who argue that RM is a practice
involving the interactions of local and everyday activities. We further extend these research by
finding a particular way through which RM is practised: the interactions between rules,
understandings and teleo-affective structures that bring about a chain of actions including
identifying, measuring, evaluating, treating, communicating and reviewing risks. In particular,
rules, practical understanding and teleo-affective structures interact with each other in
constituting a collective based RM practice in WCC and a silo based RM practice in CCC. The
30
collective based risk management practice is characterized by opportunity and forward-looking
consideration, qualitative judgement, intra- and inter-departments coordination on risks. This
collective based RM practice partially overlaps with the idea of holistic RM as conceptualized
by Mikes (2009) that is heavily influenced by the culture of quantitative scepticism. The silo-
based risk RM practice involves conservative and backward-looking thinking, quantatitive
measurement and independent department work on risks. This silo-based RM practice
resembles Mikes (2009)’s notion of quantatitive RM that favours quantitative calculation.
Mikes (2009) argues that RM styles affect and are affected by RM cultures and other
contingent/contextual factors. In this way, culture and other possible contextual factors are
treated as entities that have their own existence which is exogenous to RM practices. However,
we find that the three elements (rules, understanding and telelo-affective structures) and the
interactions between them are an inherent part of RM practices. That is, RM is not a separate
practice but transpires from (the interaction between) these contextual variables.
Accounting helps to perform teleology adopted for WCC’s and CCC’s RM. Given that both
LAs adopt a similar teleology, the types of accounting and management controls and how these
controls were used are alike: the risk register is used in identifying risks; the risk matrix is
adopted within both LAs to measure risk likelihood and consequence and to quantify risk
impact; risk indicators and performance are integrated in managerial personal development
plans in reviewing and communicating risks and financial data and business cases are required
for all new projects and the risk register is shared across the different management levels.
However, the different practical understandings within WCC and CCC made these seeming
similar accounting controls result in very different risk management practices within the two
LAs. In WCC, accounting acted as an object of discussion, which primarily took an
instrumental role of encouraging open discussion and debate between people within the
organization about the meaning and solutions to risks. People with different values, beliefs,
interests and expectations exhibited different interpretations about what is risk and how risk
should be managed. For example, executives of WCC focus on the economic desirability of
proposed projects and prefer using quantitative mechanisms (e.g. accounting numbers, cost and
benefit analysis) to emphasise risks while councillors had the strong political desirability of
winning elections and they prefer using qualitative judgement to identify risks that may affect
their reputation in the public. That is, accounting numbers and controls allow and trigger
multiple interpretations on risks. This is consistent with Ahren and Chapman (2007) and
Jørgensen and Messner (2010) who find that accounting numbers orchestrate different strategic
31
objectives and practices among people with different functional backgrounds. While these two
papers interpret the use of accounting numbers for management control purposes as a neutral
(not an optimal nor a suboptimal) reaction to a particular local setting, we highlight the
consequence of multiple interpretations (as allowed by accounting numbers) on risks. That is,
these multiple interpretations unfortunately created ambiguity about the meaning of risks and
led to the inability to quantify some risks.
Within CCC, accounting was performed primarily for organizational legitimation. That is, accounting
controls were performed purely for fulfilling risk management tasks that were allocated to them from
their subordinates. CCC staff performed these accounting controls to legitimate their decisions in case
of public scrutiny. As such, risk quantification is a box-ticking, legitimation tool rather than supporting
decision-making. Accounting controls thus hinder the sincere communication between different people
within CCC and exacerbate the fracture and alienation between these people. This led to the lack of
understanding, creating ambiguity about risks within CCC.
Across WCC and CCC, similar accounting controls are used for managing risks. However, consistent
with Ahrens and Chapman (2007)’s argument on the ‘situated functionality of accounting’, we found
that accounting controls used for RM caused ambiguity through different paths within WCC and CCC
depending on local practical understandings. Specifically, the opportunistic, open and forward-
looking understanding of RM laid the foundation for accounting controls to encourage multiple
interpretations on risk and respective solutions within WCC. In contrast, the earthquake-centred,
conservative and backward-looking understanding set the tone for the legitimating function of
accounting in CCC. While we agree with Vinnari & Skærbæck (2014) and Wang et al. (2016)’s
findings that the management of one risk may lead to the creation of new uncertainties or risks, the
findings of this paper differ from their studies by finding how ambiguities continuously rotated around
the same (object of) risks that the organization attempted to deal with.
CONCLUSION
Our study utilises interviews, observations and secondary data to understand RM practices
within two New Zealand LAs. We seek to answer the research questions of “how risk
management is organized and practised within NZ Las?”.
Our findings make three contributions to the literature. Firstly, different from studies that
higlight exogenous contigent factors that drive risk management practices (Mikes, 2009;
Woods, 2009), we emphasise the elements that organize and shape risk management practices.
These elements are endogenous and inherent to risk management itself, including,
32
understandings, rules and teleoaffective structures. Understandings determine how risk
management rules are interpreted and applied, and affect the effectiveness of teleoaffective
structures in communicating and embedding risk management in organization’s everyday
activities. The interaction between and the combination of these three elements constitute the
‘mentality’ of risk management that drive risk management behaviour. We identify two types
of risk management mentality prevalent in our two cases, namely: a collective-based,
performance-oriented mentality, and a silo-based, box-ticking risk mentality. We argue that it
is the mentality constituted of inherent elements of understandings, rules, and teleoaffective
structures, that drive inter-site/organsational differences in risk management practices. This
focus on the role played by endogenous factors and the interaction between them, versus the
exogenous, independent contingenct factors in examining risk management practices is an
important insight this study adds to the literature.
Secondly, we contribute by highlighting the postive consequences of risk management rules
and processes. Consistent with prior studies (Power, 2005; Vinnari and Skærbæk, 2014; Wang
et al., 2016) we find evidence of the negativity caused by risk management. Specifically, within
one LA, rules are strictly complied with for the purpose of external legitimation and blame
avoidance. In contrast, our study also provides evidence of positive impacts of risk
management practices. In this same LA, rule compliance reduces role uncertainty and gives
managers some form of ease against the multiplicity and complexity of risk management. In
the other LA, the flexible interpretation and application of risk rules empower managers and
staff to adopt autonomous risk responses as along as they achieve performance targets and are
consistent with risk tolerance level.
Our third contribution lies in identifying the different accounting and management controls
used to manage risks. In accordance with prior studies (Dekker, 2004; Themsen, 2014;
Anderson et al., 2015) we find that accounting plays a significant role in enabling risk
management practices. This role is not only limited to the quantification the likelihood and
impact, the cost-benefit analysis or the setting of tolerance level, to enable risk performance
monitoring and control. Additionally, management control such as interactive use of indicators,
integration of risk information in balanced scorecard and long term plan can increase risk
awareness and enhance strategic integration at different management levels. Interestingly,
accounting make multiple expectations and beliefs visible and promote discussion and debate
at top management levels, supporting a performance-focused mentality of risk management. A
flexible use of accounting (by moving beyond strict adherence to accounting numbers) can
33
empower decision making and opportunity seeking behaviour at local levels. However,
accounting can be pre-empted by pre-existing understandings conditioned by institutional and
organizational contexts. Depending on its use, accounting can enhance or reduce rue
compliance. Accounting can contribute to teleology achievement or make visible the conflicts
and trade-offs within the teleology. Hence, our findings provide positive aspects of accounting
whilst cautions that a flexible style of accounting use is more conducive to risk management
and that accounting has significant interactions and impact on understandings, rules and
teleoaffective structures of risk management. We also reinforce the notion of ‘situated
functionality’ of accounting (Nama and Lowe, 2014; Ahrens and Chapman, 2007) as the two
very different uses of accounting found (legitimating versus instrumental) in our study are
contextually-bound; they are driven by institutional and organizational specificities, including,
the political cyle and public accountability required of public entities, and organizational
leadership.
Our study is subject to several limitations. We only examine two NZ LAs and hence the results
might not applicable to LAs in other countries. However, our findings provide interesting
comparative insights to those gained from other contexts such as the UK or Australia. The
findings would be richer if we can observe RM practices directly and triangulate the
observations with interview data. However, we have addressed this limitation by triangulating
interview data with secondary data, and validating opinions across different interviewees.
Future research should aim to further test Schatzki’s social site analysis, to examine the affect
of rules, understandings, and teleological structures on RM practices, in other contexts and
time periods. As shown by our study, Schatzki’s ontology provides a rich analytical framework
to move beyond description or prescription of RM, to uncovering the why and how RM
practices are organized within and across organizations.
APPENDIX
Interview guide
How is the ERM designed and how are the risks identified and chosen? What are the basis for
measuring risk?
What risks are considered strategic by top management? How do top managers use ERM to
deal with them through internal control systems? To which extent is the enterprise risk
management used by top management in their decision making?
How do departmental managers monitor, and respond to operational risks and issues?
34
How is risk information communicated within the organization, especially different levels of
management? How do top managers ensure risk awareness among organizational members?
How is risk information communicated and reported to board of directors, and external
stakeholders? Is there difference in the risk information reported internally versus externally?
Through which mechanisms do top managers ensure that staff are innovative and flexible at
the same time being risk-aware and possibly risk-averse?
What impacts does the integration of risk issues/measures and risk awareness have on
managers’ behaviour and motivation?
To which extent is risk information used by the organization to engage with external
stakeholders and to which extent that stakeholders have an impact on risk management practice
within the organization?
35
References
Abernethy, M. A., & Chua, W. F. (1996). A Field Study of Control System “Redesign”: The
Impact of Institutional Processes on Strategic Choice. Contemporary Accounting Research,
13(2), 569-606.
Ahrens, T., & Chapman, C. (2004). Accounting for flexibility and efficiency: A field study of
management control systems in a restaurant chain. Contemporary Accounting Research, 21(2),
271-302.
Ahrens, T., & Chapman, C. S. (2007). Management accounting as practice. Accounting,
Organizations and Society, 32(1-2), 1-27.
Anderson, S. W., & Dekker, H. C. (2005). Management control for market transactions.
Management Science, 51(12), 1734–1752.
Anderson, S. W., Christ, M., Dekker, H. C., & Sedatole, K. L. (2015). Do extant management
control frameworks fit the alliance setting? A descriptive analysis. Industrial Marketing
Management, 46, 36-53. Auditor General Victoria. (2004). Managing risk across the public
sector: Good practice guide. Melbourne: Office of Auditor General Victoria.
Australian National Audit Office. (2004). NAO Audit Report No 11 2004-05: Commonwealth
Entities’ Foreign Exchange Risk Management. Canberra.
Barrett, P. (2005). Future Challenges for Risk Management in the Australian Public Sector.
Canberra: Australian National Audit Office.
Bromiley, P., McShane, M., Nair, A., & Rustambekov, E., (2014). Enterprise risk
management: Review, critique and research directions. Long Range Planning.
Bryson, J. M. (1988). A strategic planning process for public and non-profit organizations.
Long Range Planning, 21(1), 73-81.
Boedker C & Chua W. F. (2013), Accounting as an affective technology: A study of circulation,
agency and entrancement. Accounting, Organizations and Society, 38 (4), 245 – 267.Callon,
M 2007, What does it mean to say that economics is performative? in D MacKenzie, F,
Muniesa & L Siu (eds), How economists make markets: the performativity of economics,
Princeton University Press, Princeton, NJ.
36
Chua, W. F. (1995). Experts, networks and inscriptions in the fabrication of accounting images:
a story of the representation of three public hospitals. Accounting, Organizations and Society,
20(2/3), 11–45.
Clarke, C. J., & Varma, S. (1999). Strategic risk management: the new competitive edge. Long
Range Planning, 32(4), 414-424.
Collier, P. M., Berry, A. J., & Burke, G. T. (2007). Risk and management accounting: best
practice guidelines for enterprise-wide internal control procedures: Elsevier.
Collier, P. M., & Woods, M. (2011). A comparison of the local authority adoption of risk
management in England and Australia. Australian Accounting Review, 21(2), 111-123.
Committee of Sponsoring Organizations of the Treadway Commission. (2004). COSO
Enterprise Risk Management - Integrated Framework: Executive Summary Framework. New
York, NY: Author.
CPA Australia. (2002). Public sector risk management: A state of play. Melbourne: Public
Sector Centre For Excellence.
Crawford, M., & Stein, W. (2004). Risk management in UK local authorities: The effectiveness
of current guidance and practice. International Journal of Public Sector Management, 17(6),
498-512. doi: doi:10.1108/09513550410554788
Dekker, H. C. (2004). Control of Inter-organizational Relationships: Evidence on
Appropriation Concerns and Coordination Requirements. Accounting, Organizations and
Society, 29, 27-49.
Departmentof InternalAffairs,2014,LocalGovernment inNewZealand - localcouncils,Retrieved
June, 2014, from http://www.localcouncils.govt.nz/lgip.nsf/wpg_URL/About-Local-Government-
Index?OpenDocument
Economic Intelligence Unit. (2011). Best practice in risk management: A function comes of
age (a report sponsored by by ACE, IBM and KPMG). London: Economic Intelligence Unit.
Feldman, M. S., & Orlikowski, W. J. (2011). Theorizing Practice and Practicing Theory.
Organization Science, 22(5), 1240-1253. doi: 10.1287/orsc.1100.0612
Horton, J., Macve, R., & Struyven, G. (2004). Qualitative research: experiences in using semi-
structured interviews. The real life guide to accounting research, 339-357.
37
Jørgensen, B., & Messner, M. (2010). Accounting and strategising: A case study from new
product development. Accounting, Organizations and Society, 35(2), 184-204.
McCrae, M., & Balthazor, L. (2000). Integrating risk management into corporate governance:
the Turnbull guidance. Risk Management, 35-45.
McShane, M. K., Nair, A., & Rustambekov, E. (2011). Does enterprise risk management
increase firm value? Journal of Accounting, Auditing & Finance, 26(4), 641-658.
Mikes, A. (2009). Risk management and calculative cultures. Management Accounting
Research, 20(1), 18-40.
Mikes, A. (2011). From counting risk to making risk count: boundary-work in risk
management. Accounting, Organizations and Society, 36, (4/5), 226–245.
Mouritsen, J & Thrane, S 2006, ‘Accounting, network complementarities and the development
of inter-organisational relations’, Accounting, Organizations and Society, vol. 31, no. 3, pp.
241–275.
Nama, Y., & Lowe, A. (2014). The ‘situated functionality’ of accounting in private equity
practices: A social ‘site’ analysis. Management Accounting Research, 25(4), 284-303. doi:
http://dx.doi.org/10.1016/j.mar.2014.06.001
Oughton, D. (1994). Accountability versus control—rust never sleeps. Public Sector, 17(3), 3.
Pallot, J., 2001, Local government reform in New Zealand: Options for public management as
governance:UniversityofCanterbury.
Power, M. (2004). The Risk Management of Everything. London: Demos.
Power, M. (2005). The invention of operational risk. Review of International Political
Economy, 12(4), 577-599.
Power, M. (2007). Organized uncertainty: Designing a world of risk management. Oxford ;
New York: Oxford University Press.
Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society,
34(6), 849-855.
Schatzki, T. R. (2001a). Introduction: Practice theory. In T. R. Schatzki, K. K. Cetina & E. v.
Savigny (Eds.), The Practice Turn in Contemporary Theory (pp. 1-14). London: Routledge.
Schatzki, T. R. (2001b). Practice mind-ed orders. In T. R. Schatzki, K. K. Cetina & E. v.
Savigny (Eds.), The practice turn in contemporary theory (pp. 43-55). London: Routledge.
38
Schatzki, T. R. (2002). The site of the social: A philosophical exploration of the constitution
of social life and change: University Park: The Pennsylvania State University Press.
Schatzki, T. R. (2012). A primer on practices Practice-based education (pp. 13-26): Springer.
Standards Australia/Standards New Zealand. (1999). Guidelines for Managing Risk in the
Australian and New Zealand Public Sector. Strathfield: Standards Association of Australia.
Tekathen, M., & Dechow, N. (2013). Enterprise risk management and continuous re-alignment
in the pursuit of accountability: A German case. Management Accounting Research, 24(2),
100-121.
Themsen, T, N. (2004). Risk Management in Large Danish Public Capital Investment
Programmes. PhD Thesis. Copenhagen Business School.
Vaara, E., & Whittington, R. (2012). Strategy-as-Practice: Taking Social Practices Seriously.
The Academy of Management Annals, 6(1), 285-336.
Vinnari, E. & Skærbæck, P. (2014). The Uncertainties of Risk Management: A Field Study on
Risk Management Internal Audit Practices in a Finnish Municipality. Accounting, Auditing and
Accountability Journal, 27(3), 486-526.
Vincent, J. (1996). Managing risk in public services: A review of the international literature.
I/nternational Journal of Public Sector Management, 9(2), 57-64. doi:
doi:10.1108/09513559610119564
Walsham, G. (2006). Doing interpretive research. European journal of information systems,
15(3), 320-330.
Wang,Z,Mahama,H&Lee,J.(2016).ExperimentingwithRiskandManagementControlSystemsin
Inter-firmAlliances.Workingpaper.
Woods, M. (2009a). A contingency theory perspective on the risk management control system
within Birmingham City Council. Management Accounting Research, 20(1), 69-81.
Woods, M. (2009b). Risk management in organisations: An integrated case study approach.
Abingdon, Oxon: Routledge.