When the word ‘integrated’ is associated to a business practice, an organisational environment, or a workplace, it is often good news. The term has a positive connotation in common language, expressing something that is ‘systematic’, ‘comprehensive’, ‘coherent’, ‘cohesive’ etc. Indeed, dictionary definitions leave no doubt. Something is integrated if ‘two or more things [are] combined in order to become more effective’ (emphasis added, see here).

Organisational risk management processes are no exception. In the last two decades, a burgeoning number of consulting papers and professional guidance documents suggest that ‘integrated’ risk management, providing a holistic view of enterprise-wide risks, is key to success (see, for example, this). In short, the terms ‘integration’ and ‘integrated’ seem to possess a sacred quality that makes it difficult for a ‘rational’ person to be against them, just like other words such as ‘efficient’ and ‘transparent’.

But ask yourself if your workplace is ‘integrated’. Many things spring to mind: shared procedures and reporting lines; coordinating roles across different functions; frequency of meetings; task and goal affinity among organisational members; physical proximity of offices; and even friendship and mutual respect. This thought experiment reinforces the idea that studying ‘integration’ is not easy, given the ambiguity of what ‘integrated’ means in concrete organisational settings (e.g. your workplace). From this thought experiment and dictionary definitions, we also note an apparent paradox. To make two or more things integrated, these things have to be distinct in the first place, so that they can be subsequently linked up. So, does integration require disintegration?

A field study of ‘integrated’ risk management practices sheds light on such dynamics of (dis)integration (see here), empirically focusing on two manifestations of enterprise risk management (see here) in two large organisations operating in Italy, and their evolution over time.

Just looking at the templates used to identify and assess enterprise-wide risks, it is possible to get an idea of two approaches to ‘integration’. In one case (CASE 1), we have a long list of abstract risk categories defined by the risk function that should cover all possible risks arising in the course of the company’s operations, ranging from a plant’s explosion to compliance mistakes. By using this template, risk assessors in different parts of the organisation should be able to follow a common and standardised template and therefore come up with similar views about risks that can be aggregated. Here the focus in risk identification and assessment is narrow (e.g. people need to use a standardised procedure), but also broad (e.g. comprehensive list of risk categories).

In the second case (CASE 2), we have a short list of items, from industry context changes to internal rewards systems, which can be used to inspire ‘risk talk’ (see here) that aim to quantify potential financial variances compared to expected performance targets. Here the focus of discussion is narrow (e.g. limited to quantifiable financial performance variations) but at the same time comprehensive (e.g. discussion via interactive workshops can flow in many different directions and is open to the use of different risk assessment tools).

The longitudinal analysis shows how such abstract designs are put to work and are adjusted over time. In CASE 1, despite efforts to provide a comprehensive list of risk categories, a number of residual categories, which do not fit the context envisaged by ‘integrated’ risk management designers, become visible. For example, commodity risks need to be taken care through separate processes that have more traction within line managers. In CASE 2, things are added to make ‘integrated’ risk management work, via workshops’ discussion. There are efforts to add context to risk information so that it acquires a shared meaning in relation to specific problem areas (e.g. human resources, industry changes, logistic) and help explain financial variances.

These two dynamics of enterprise risk management produce counterintuitive outcomes. The narrowing down of ‘integrated’ risk management in CASE 1 can be related to greater visibility in various parts of the organisation of what is seen (with scepticism by some) as a ‘standardised process’ that has limited managerial relevance. The expansion of issues covered through ‘integrated’ risk management in CASE 2 can be related to less visibility of the risk identification and assessment process specifically and the blurring of the boundaries between risk management and other management control processes such as budgeting. In short, the more relevant ‘integrated’ risk management is, the less visible risk identification and assessment becomes. But this feature becomes a problem following a corporate crisis, during which internal and external stakeholders alike start questioning about the role of risk management and demand the adoption of a more proceduralised process, very similar to the one adopted in CASE 1. And, just like in CASE 1, this new process quickly loses managerial relevance.

The contrast between these two cases provides additional insights about the manifold manifestations of ‘integrated’ risk management, extending a growing body of research (see, for example, this and this). But, more uniquely, it uses the empirical phenomenon of ‘integrated’ risk management to theorise an important feature of what are labelled as the ‘dynamics of (dis)integration’. The basic idea is that no matter how you approach the design and use of ‘integrated’ work processes and practices, there will be something that is left out. And what is excluded eventually becomes a key challenge for ‘integrated’ designs. The ideals of ‘integrated’ risk management, whatever they end up being in their empirical manifestations, are subject to a self-undermining pressure towards (dis)integration.

To conclude, managers need to be wary of the tensions involved in the construction of ‘integration’. What is left out rather than what is included, is likely to trigger relevant organisational changes, resulting in modifications to existing configurations and power spheres. The study of (dis)integrated risk management has also implications for practitioners and regulators interested in, or working with, multiple and emerging manifestations of risk management. Lengthy risk identification and aggregation processes, which make ‘key’ risks visible on a periodic basis, providing a ‘canopy-like’ view of an organisation, tend to have little relevance for line managers. In contrast, the forms of risk management that take place through inconspicuous ‘risk talk’ may be highly relevant for addressing key managerial concerns. And yet, by their very nature, they may go unnoticed, as the boundaries between risk management and other control and managerial processes blur.

♣♣♣

Notes:

  • This blog post is based on the author’s paper The dynamics of (dis)integrated risk management: A comparative field study, co-authored by Marika Arena and Michela Arnaboldi, in Accounting, Organizations and Society, volume 62, October 2017, pages 65-81. 
  • The post gives the views of its author(s), not the position of the institutions they represent, the LSE Business Review or the London School of Economics.
  • Featured image credit: Image by annca, under a CC0 licence
  • When you leave a comment, you’re agreeing to our Comment Policy.

Tommaso Palermo is (post major review) assistant professor of accounting at LSE. His main research interests include the design and use of enterprise risk management and performance management systems, risk culture in financial sector organisations and risk reporting and analysis in the aviation sector. Tommaso’s more recent work focuses on accounting and risk regulation in new markets for contested commodities, such as recreational cannabis in Colorado. Email: t.palermo@lse.ac.uk