The New Risk Management
Power, Michael, European Business Forum
In a compelling analysis of the decision to launch the Challenger space shuttle on 28 January, 1986, Diane Vaughan has questioned the generally accepted explanation of that event. Instead of specific managerial wrongdoing combined with technological failure, she claims in her book The Challenger Launch Decision that 'no extraordinary actions by individuals explain what happened: no intentional managerial wrongdoing, no rule violations, no conspiracy. The cause of disaster was a mistake embedded in the banality of organisational life.' The message is that risks and their associated opportunities are rooted in specific institutions and practices, in daily operations which become organisational habits. If we are serious about risk management, we must be very cautious in assuming that legal, institutional and political demands to blame particular individuals and hold them responsible correctly identify the root causes of risk. Rather, the mundane transactional life of organisations deserves much closer practical and intellectual attention.
There is a long history of technical risk management practice in disciplines such as finance and engineering. Recently, the category of 'operational risk' has emerged in policy thinking. This was first a kind of dumping category for risks which can not be dealt with elsewhere, or are less amenable to technical analysis. Later it appears as a more fundamental challenge to the meaning and scope of risk management practice. Indeed, the 1990s witnessed far reaching changes in the conception of the way that large organisations should manage danger and opportunity; there was a new demand for the consolidation, coordination and systematisation of risk management practices. And as risk management practices in large organisations are becoming much more managerial and strategic in focus, management and regulatory practice is also being reinvented through a broadened concept of risk. This shift in the nature of management attention to corporate risk characterises the 'New Risk Management' (NRM).
The NRM has its origins in two distinct but convergent pressures. First, it is well known that sellers of insurance seek to overcome moral hazards by giving the insured incentives to behave more as if they were uninsured. In part this is achieved by offering lower premiums in return for risk-reducing actions, such as installing window locks for home insurance or requiring environmental audits as a condition of liability cover. Over time, an important advisory domain for the insurance industry has been created, with a focus on the internal control and compliance systems of companies. In addition, many large organisations (like BP Amoco) have re-examined their insurance strategies and the self-insurance of some risks is increasingly rational where relevant internal control is good. Accordingly, both supply and demand side market pressures in insurance have been converging on the self-organising and self-regulating capacity of companies. Risk transfer in the form of insurance is being conceived as part of a broader risk management portfolio, even to the extent of regarding the decision to insure as a residual.
The second major pressure for change arises from the regulatory, professional and industrial reactions to corporate scandal, and the emergence of thinking about corporate governance. The original Cadbury Code in the UK (now the Combined Code) represented a formalisation of practice in the wake of the collapse of the Maxwell empire and provided a template for the rest of the world. Part of the concern is to improve shareholder power and the market for corporate control. Importantly, there is also a sustained emphasis on internal structure and control systems, which is intended both to motivate and constrain management. The Turnbull Report, which promotes principles of internal control and risk management for UK company directors, is the latest and most influential statement of this thinking. …