Managing risk in the public sector – The interaction between vernacular and formal risk management systems

• Author: Patrik Tran,Martin Carlsson‐Wall,Anita Meidell,Kalle Kraus
• Published date: 01 February 2019
• Date: 01 February 2019
• DOI: http://doi.org/10.1111/faam.12179

Received: 10 February2017 Revised: 21 February2018 Accepted: 4 April 2018

DOI: 10.1111/faam.12179

ORIGINAL ARTICLE

Managing risk in the public sector – The

interaction between vernacular and formal risk

management systems

Martin Carlsson-Wall1,2 Kalle Kraus1,2,3 Anita Meidell4

Patrik Tran1

1Departmentof Accounting, Stockholm

Schoolof Economics, Box 6501, 11383,

StockholmSweden

2Centrefor Applied Research at NHH,

Helleveien30, 5045, Bergen Norway

3Departmentof Accounting, Monash Business

School,Level 3, Building H, Caulfield Campus,

900Dandenong Road, Caulfield East, VIC 3145,

Australia

4Departmentof Accounting, Auditing and Law,

Norwegian School of Economics, Helleveien 30,

5045,Bergen Norway

Correspondence

KalleKraus, Department of Accounting, Stock-

holmSchool of Economics, Box 6501, 11383

Stockholm,Sweden.

Email:kalle.kraus@hhs.se

Abstract

This paper examines the management of risk in a large public sector

organization. Accounting research on “new” risk management in the

public sector has focused on how formal risk management systems

emerge through a top–down approach, primarily driven by external

demands. Our study contributes to this body of work bydetailing the

emergence and operation of vernacular risk management systems,

that is, systems self-generated by organizational actors in the con-

text of their work and not officially sanctioned within the organiza-

tionalhierarchy (cf., Kilfoyle, Richardson & MacDonald, 2013). In this,

we theorize how such systems interact with formal risk management

systems, thereby also contributing to other disciplines such as cri-

sis management and project management. Drawing on Fischer and

Ferlie (2013), we detail how severalvernacular systems co-exist and

have different interaction modes with the formal risk management

system, and consider how these modes of interaction also change

over time. Finally, our results highlight the link between the oper-

ation of “new” risk management and inter-organizational relation-

ships, demonstrating that such relationships can be an important

asset to build on in risk management work.

KEYWORDS

case study, inter-organizational relationship, public sector,risk man-

agement, vernacular accounting

1INTRODUCTION

The waysin which people have conceived risk have varied historically as well as between disciplines. The historical pro-

gression of the notion of risk and its management can be traced back to the premodern era when risk associated with

natural events beyond human agency and the management of risk, as currently understood, had hardly been consid-

ered (Spira & Page, 2003). Later,at the dawn of Modernity, the world was seen as governed by laws of probability and

Financial Acc & Man. 2019;35:3–19. wileyonlinelibrary.com/journal/faam c

2018 John Wiley & Sons Ltd 3

4CARLSSON-WALLET AL.

risk was hence viewed as a relatively straightforwardmatter, measurable and calculable. Risk was defined in statistical

terms as the probability of an event multiplied bythe magnitude of losses or gains associated with the event (Gephart,

Van Maanen & Oberlechner, 2009). With this definition of risk, risk management is about the analysis of the likeli-

hood of unpleasant surprises and the management of the consequences of these surprises using laws of probability

(statistical measurement, regression to the mean, diversification) and utility theory (value judgments, opportunity cost

assessments, game theory) (Holt, 2004). This view of risk served an important function as facilitating the management

of an unforeseeable future (Gephart et al., 2009).

Recentlyhowever, the view of risk has shifted. In Late Modernity,risk often refers also to risks that cannot be known,

to unquantifiable uncertainties (Gephart et al., 2009). This implies that risk management is not only a description of a

given reality,it also includes a constitutive element: the way organizations depict their risks has a significant effect on

the way they will, eventually,react to events and to other actors (Millo & MacKenzie, 2009). In line with this develop-

ment, and following Power,Scheytt, Soin, and Sahlin (2009), in this paper we use the term “risk” to denote those phe-

nomena that are conceptualized and managed as risks within the organization (see also, Arena, Arnaboldi, & Azzone,

2010; Miller, Kurunmäki, & O'Leary,2008). To further emphasize the shift in the perception of the nature or risk that

has occurred over recent decades and to acknowledge the long history of risk management in other disciplines, we fol-

low Palermo (2014) and denotes this more recent body of accounting work as the literatureon “new” risk management.

Researchers within this stream of research have demonstrated that formal risk management systems have prolifer-

ated in both public and private sector organizations over the last two decades (Arena et al., 2010; Cuganesan, Guthrie,

& Vranic,2014; Miller et al., 2008; Power, 2007). “New” risk management has come to be seen as an emerging key ele-

ment of New Public Management (NPM), where the growth in risk management practices has increased the focus on

“processes, auditable trails and documentation”(Lapsley, 2009, p. 16).

Research on “new” risk management has focused attention toward the introduction of formal risk management sys-

temsin public sector organizations (Palermo, 2014; Rocher, 2011; Vinnari & Skærbæk, 2014; Woods, 2009). A common

feature of these studies is a hierarchical, top–down approach for implementing formal risk management systems trig-

gered by external pressures or regulatory demands. There is a concern in the “new” risk management literature that

organizations respond to pressures for implementing formal risk management systems in a superficial manner just to

meet regulatory requirements and appease stakeholders, rendering risk management a tick-boxing exercise(Power,

2009; Soin & Collier,2013; Woods, 2009).

However,formal risk management systems are not the only available means of managing risk in the public sector.

There is a large body of work from other disciplines such as crisis management (Fischbacher-Smith & Fischbacher-

Smith, 2014), project management (Osipova& Eriksson, 2013), high reliability organizations (Weick & Sutcliffe, 2001),

knowledgemanagement (Scott & Walsham, 2005), health and safety management (the Robens report, 1972), and social

anthropology (Douglas & Wildavsky,1982) that emphasizes local adaptations and the need to acknowledge risk man-

agement performed by staff who know the details of the local context and therefore make use of alternative forms

of risk management. In this paper,we focus on one specific alternative form, namely employee-generated, but not for-

mally sanctioned, information systems. By drawingon the concept of vernacular accounting, that is, systems developed

by organizational actors in the context of their work without these being officially sanctioned by the organizational

hierarchy (Kilfoyle, Richardson, & MacDonald, 2013), we introduce the notion of vernacular risk management systems.

Vernacularrisk management systems are developed and used by local managers in relevant daily activities and as such

they will depend on the context of the work and the individual's knowledge and experience. To increase our under-

standing of how the “new” risk management works in the public sector,we argue that it is important theoretically and

empirically to widen our gaze beyond formal risk management systems (cf.,Miller et al., 2008) to consider the opera-

tion of vernacular risk management systems and how they interact with the existing formal ones. Our paper is based

on a case study of a large Swedish governmental agency,Swegov, and we pose the following research question: How do

vernacularrisk management systems emerge and interact with formal risk management systems in a public sector organization?

Our paper makesthe following contributions: First, while prior work on “new” risk management in the public sector

has shown how formal systems emerge as a top–down approach, primarily drivenby external demands (Palermo, 2014;

Rocher, 2011; Vinnari & Skærbæk, 2014; Woods, 2009), our findings suggest that Swegov local managers were very