Soziale Systeme 3 (1997), H.1, S. 3-21
From Risk Society to Audit Society
Michael Power
Zusammenfassung: Der Essay beschäftigt sich mit den Implikationen
der zu beobachtenden Zunahme des Auditing in Großbritannien für
Ulrich Becks Konzept der 'Reflexiven Modernisierung'. Allgemein
wird angenommen, daß die neue Form der Qualitätsprüfung Prozesse
reflexiven Lernens in Organisationen ermöglicht, so daß eine Kompatibilität
zwischen ökonomischen Kriterien und Regulierungszielen herstellbar
ist. In der praktischen Umsetzung funktioniert Auditing als Teil
einer Struktur der 'Kontrolle der Kontrolle', deren Möglichkeiten
ambivalenter sind, als das Modell suggeriert. Trotzdem wird Auditing
aufgrund ökonomischer Motive und Gründen der Informationsverarbeitung
zu einem dominierenden Regulierungsstil. Die diskutierten Beispiele
des Auditing im Gesundheitssystem, des Umwelt-Audits und des Derivatenmanagements
legen nahe, daß Auditing sich stärker auf Prozesse des Managementsystems
als auf das substantielle Operieren einer Organisation konzentriert.
Diese Erkenntnis widerspricht der allgemeinen Erwartung an die Form
der Selbstregulierung und hat unabsehbare Nebeneffekt. Die allgemein
herausgestellten reflexiven Potentiale des Auditing sind zumindest
noch nicht sichtbar, so daß das Aufkommen der Auditing-Gesellschaft
eher mit Becks Konzept der 'organisierten Unverantwortlichkeit'
beschreibbar ist.
I
There is a growing intellectual recognition of the need to design
governance mechanisms which, in various ways, enlist the resources
of the regulatee. There has been much talk of 'governmentality'
(Rose/Miller 1992), 'mutual regulation'
(Simmons/Wynne 1994), 'self-organization'
(Luhmann 1988; Luhmann 1991; Teubner/Farmer/Murphy 1994)
and 'responsive regulation' (Ayres/Braithwaite 1992).
It is as if a certain kind of socio-legal scepticism about the implementation
'deficit' of classical regulatory goals is giving way to more upbeat
assessments about the internalization of compliance cultures within
organizations. Concepts of local empowerment have become fashionable
and 'regulatory networks' which draw from the cognitive and financial
resources of the regulatee have become an object of interest in
many different domains. Overall, the softer language of 'compliance
readiness' is replacing that of command and control. These shifts
in theoretical attention also reflect institutional change: methods
of governance in a wide variety of areas are turning to voluntaristic
and market based forms of control. Capitalism has become 'disorganized'
and 'out of control' as reflexive and locally flexible control and
information structures have developed (Lash/Urry 1994, chapter 4; Kelly 1994).
It is clearly an overstatement to imply that modern states have
always, until recently, attempted to control 'from above': informal
methods of indirect influencing and state involvement in markets
(Kettl 1993) have always existed. But
there seems to be such a conspicuous and systematic change of regulatory
mood in recent years that it no longer makes sense to juxtapose
regulation by self and regulation by others. This is not just a
tired theoretical opposition; regulatory authorities with forms
of stability and control as politically necessary objectives are
recognising their limited economic and cognitive resources. Mechanisms
are being explored by which desired behaviours can be stimulated,
largely by attempting to internalise imperatives which were previously
externally imposed. For example, there is an emergent interest in
'reflexive' forms of law predicated on the need to understand how
decisions are made (Teubner 1993; Farmer/Teubner 1994; Orts 1995). This transformation in control
philosophy has created a demand for ways of making organizational
fields internally and externally visible for decision making purposes.
More precisely, new information structures are required in order
to challenge and shift the boundaries between insiders and outsiders
and to reconnect decision makers with their remote publics. This
connection is effected via systems of layered influences, chains
of control practices in which each 'link' controls the next. In
short, an explicit regulatory style is emerging which can be characterised
by the idea of 'control of control'.
Against the background of these broad regulatory developments,
this essay explores explore the recent growth of auditing as a form
of 'control of control' (Power 1994a) and analyses it in
relation to a number of the issues raised by Beck (1992b). Ulrich Beck's concept of
'reflexive modernization', and his suggestion that 'classical instruments
of political direction' (Beck 1992a, 107) are being displaced
by systems of knowledge which are open and self-monitoring, are
consistent with the emerging regulatory style described above. This
theme of self-monitoring is common to many writers and in practice
audit represents a distinctive style of risk management which is
growing in many different areas. Even forms of incentive based controls
through legal liability and insurance mechanisms employ audit processes;
in this way audit has become fundamental to a new regulatory mood
which delegates and supervises. Auditing is not a glamorous subject,
either for its practitioners or indeed for its theorists. However,
it is because of this lowly and merely technical self-image
that it has, almost unnoticed, come to be such a key regulatory
resource and has extended its reach into many different areas of
social life. Audit practices also seem to offer a potential for
anchoring Beck's concept of 'reflexive modernization'. For example,
the concept of 'reflexivity' could be defined in terms of 'self-audit'
i.e. as a practice of second-order observation of organizational
operations. However, this essay argues that the programme of effective
'control of control', in which internal systems can be linked to
distant regulators via auditing, is more ambivalent than the hopes
that have been invested in it. The reflexive potential of a risk
society in Beck's sense may be delayed by, and decay into, an 'audit
society' (Power 1994b) and varieties of
'organized irresponsibility' (Beck 1992a, 103).
II
According to Beck, a paradigm shift in the understanding of risk
is needed: a shift from the problem of knowing risk to the problem
of the risks inherent in ways of knowing. This is his most striking
theme: risks originate in the social organization of knowledge and
norms rather than in nature itself. There is of course widespread
recognition that many risks are the product of industrial modernization
and he is not alone or recent in making this claim. But Beck also
argues that this has reached a point where the economy is becoming
increasingly 'self-reflective' in its operation and new strategies
of risk definition have emerged in new locations: "This means that
the calculation of risk as it has been established so far by science
and legal institutions collapses" (Beck 1992b, 22) Calculative practices
which used to be oriented towards external, environmental 'dangers',
such as shipping insurance, are now reorienting reflexively around
the self-production of risk.
Luhmann seems to make a similar point when he argues that risk,
as opposed to danger, implies a form of management oriented towards
decision making potential: "More and more states - whether
existing or aspired to - are seen as being consequent to decisions
i.e are attributed to decisions" (1991, 46) rather than to nature.
Or, as Beck puts it, latent side effects which have been experienced
as natural fate are being newly attributed and where this occurs
a sense of the need to manage risk arises.
Elements of Beck's diagnosis might culminate in a rather gloomy
assessment of the prospects for change. However, he is guardedly
optimistic about the immanent and 'reflexive potential' which is
(will be?) realised in the recognition of self-produced risk. For
example, the cultural authority of scientific experts is being undermined
since their expert knowledge is implicated in the production of
risk in the first place: "There is no expert on risk" and the concept
of 'acceptability' is no longer the province solely of experts;
risk analysis is a "polygamous marriage with business, politics
and ethics (...)" (Beck 1992b, 29).
Drawing from the fragility of scientific authority made evident
in science policy studies, Beck argues that an essential tension,
an adversarial dialectic of expertise and counter expertise, is
constitutive of an emergent politics of risk definition. This politics
is intensified by a confidence in abandoning scientific arguments
about causality ('much will not be able to be corroborated'). A
new spectrum of liable parties, in which responsibility no longer
follows causality, has been made possible. Previously, the law was
such that no-one could be blamed and no-one was therefore responsible
(Beck 1995). According to Beck, the
monopoly of rationality enjoyed by scientific hazard definition,
and the division of the world into experts and non-experts has been
shattered and contested. However, the abandonment of causal authority
also provides opportunities for competing definitions of what it
is to manage risk.
As Beck notes, fighting self-produced risks has become a flourishing
industry itself and new instruments of definitional risk-management
are being developed. This has given rise to antagonisms between
risk-definers and consumers, definitional struggles which oscillate
between revealing and concealing risk. These are struggles not just
about methods but also about who is affected and a complex victimology
is emerging from these debates. Beck also points to new markets,
driven by demands for the avoidance of risk, in which risk production
may be normalised (e.g. by tradeable pollution permits). This is
what he describes as a 'cosmetics of risk', a symbolic industry
of risk management. For example, the notion of an 'acceptable level'
of pollution fulfils only the function of a symbolic detoxification;
in the process society has become a laboratory. And Beck alludes
to a certain 'remanagerialization of risk' which embodies a distinctive
logic: the "institutionalized non-management of problems" (Beck 1992a, 105) in which "security
strategies are a side show" (Luhmann 1991, 29).
Although Beck anticipates some of the dangers of the 'remanagerialization'
of risk, these concerns are balanced by his 'immanentist' optimism
about a new democratic potential: 'poverty is hierarchic but smog
is democratic'. In other words, distinctive potentialities inhere
in the eventual identity of perpetrators and victims and Beck (1995) argues that big industry is
its own best opponent. These claims, with their typical aphoristic
density, have an ontological flavour: risks are the 'stowaways of
normal consumption'. For Beck, such objective commonalities have
not yet been fully politically activated and, a little like Habermas
perhaps, he posits the ideal of an emergent political subject. Hence,
the concept of 'reflexive modernization' is intended to express
trends in which existing monopolies of knowledge and politics are
breaking down and being replayed into themselves. In the 'demonopolization'
of science, science actually becomes more necessary even though
it is also less self-sufficient for socially binding definitions
of truth: wider publics may be active co-producers of truth about
risk. In this way the internal culture of scepticism (conjecture
and refutation) of science, which was paradoxically coupled to claims
to certainty in external markets, is being turned inside out. According
to Beck, public uncertainty will turn afresh to reflexive science.
Another dimension of the 'reflexive modernisation' concept is that
the distinction between the calculable and the incalculable also
changes. Beck seems to be pushing for a concept of practical solvability
which is not compromised by expert prevarication about the immeasurability
of side effects. The abandonment of strict causality corresponds
to a repositioning of expert authority: risk calculation emerges
not as controllability but as estimateability in such a way that
secondary effects are robbed of their latency. Reflexive modernization
means the recognition of the self-origination of threats such that
side effects can be reconnected to their contexts of production.
Beck recognises that the collective learning which such a process
of reconnection represents is threatened by a 'secondary industrialization
of consequences and symptoms which tends to expand markets.' In
other words, the sources of danger are not ignorance (of nature)
but structures of institutionalized knowledge. In short, ways of
knowing are ways of being ignorant.
Emergent forms of environmental accounting provide a good illustration
of both this potential and danger. Where 'green disclosures' are
appended to traditional representations of corporate performance
in annual reports, the self-production of risk remains publicly
invisible. Only where external effects can be reinternalized can
the 'invisible be made culturally discernable' (Beck 1992a, 118) and new forms
of responsibility can crystallise around new accountings for side
effects (Power 1994c). Although calculability
and the attribution of side effects has always posed problems for
credible environmental accounting, Beck seems to be suggesting that
the principle of reinternalization is more significant than causal
accuracy. Exact calculation may be less important than shifting
the institutionalized boundaries of the reporting entity and thereby
shifting the onus of proof and responsibility.
According to Beck, the seeds for reflexive modernization are to
be found in an emergent sub-politics of, for example, flexible specialization
where new information networks for organizations are replacing the
fictional model of central steering. These transformations in organizational
life embody the essential potential for activating responsibility
for self-produced side effects, ideas which connect Beck's claims
to the wider concerns with rethinking regulation mentioned above.
Reflexive modernization implies that effective regulation demands
a certain kind of self-regulation which internalizes responsibility
for externalized side effects.
Having taken some of Beck's ideas as a point of departure, they
are not without problems. In addition to his methodological elusiveness
(Nowotny 1992), his 'high hopes may
look more like deep illusions' (Bauman 1992) and he is ultimately
exposed to the charge of too idealistic a belief in the potential
for a new political subject. This weakness corresponds to an underestimation
of the power of corporate capital. As one commentator has remarked,
'Most of the institutional changes which Beck describes...may..be
effects of the pervasive intervention of markets into hitherto unpenetrated
or resistant spheres.' (Rustin 1994, 11). Furthermore, it
is far from clear that flexibilization and other such developments
are leading to a de-monopolization of forms of knowledge, rather
than a reinforcing of particular interests. His argument is perhaps
overdetermined by the experience and hopes of the German greens
(Rustin 1994, 10) and, rather like
Habermas, Beck overattends to science and fails to recognise the
manner in which other disciplines, such as accounting, have begun
to replace the cultural authority of science (Power 1994d). For example, Beck's
(1992a, 119) democratic enthusiasm
for the interdisciplinarity of experts and dissenting voices underestimates
the role of controlling disciplines in managing interdisciplinarity
(Power forthcoming). In this way 'risk prevention is forged into
the tired (and now suspect) crisis management and problem solving..'
(Bauman 1992). Ultimately Beck poses
the issues of reflexive modernization at the level of changed individual
identities; where his thesis might have made a significant contribution
to the idea of changed collective subjects, the preconditions of
a 'new' corporate subject (Teubner 1994), he is frustratingly
silent.
Beck poses, in popular form, questions which Luhmann has formalized
in terms of the self-referentiality of social systems and their
second order self-observations. Reflexive observation takes as its
object the risks which lie within the very structures of observation
which determine the sensitivity of social systems to their latent
effects. In very different ways both Beck and Luhmann are concerned
with the risks immanent in knowledge structures: Luhmann's imperative
of maximising 'systems resonance' can be made to look like a project
of making knowledge reflexive. But perhaps both Luhmann and Beck
systematically understate the tendencies by which such new forms
of knowledge become institutionalized and new categories of expert
emerge. The question of 'systems resonance' towards ecological risk
in Luhmann's sense is a function of expert knowledge whose institutional
embodiment determines the extent to which it is fully reflexive
in Beck's sense.
If the paradigm shift to a form of rationality with responsibility
for self-produced risk at its centre is really to occur, accounting
and audit practices, as primary mechanisms by which corporate activities
are presently made officially visible, will also need to change.
It is well known that accounting is a filter for variable forms
of uncertainty in the environment of organizational decision making.
Accounting as a technology for managing uncertainty translates the
spontaneous disturbances of daily transactions into manageable data
for decision making purposes. But in the mode of second-order observation
of accounting operations, it has also been recognised that, prior
to the use of accounting for decision making purposes, there are
'callibrational' decisions about the distinctions or categories
with which accounting is to function (Hines 1988). It is at this level that
the risk of knowledge, rather than knowledge of risk, resides. And
it is also here that, audit as a practice which monitors and reports
on accounts is a test case for the reflexive potential that Beck
and others describe.
III
At first glance, audit practice seems to coincide broadly with
theoretical ideals of reflexive self-observation. Audits make practices
transparent to insiders, enable third party scrutiny and thereby
enhance internal and external accountability. Audit facilitates
a legitimate 'right to know' (Gunningham/Prest 1993, 523)
and challenges the 'natural' authority of the practices by demanding
new accounts of performance.(2) At the same time audits
are conceived as 'light' regulatory devices which monitor individuals
and organizations but which also leave them alone and which presuppose
the autonomy of the auditee. The basic idea and hope is that the
auditee, subject to the gaze of the regulatory body, is stimulated
to engage in further processes of self-audit through which
practices and procedures are constantly improved relative to benchmark
standards of performance. In this manner external audit arrangements
demand an internal reflexive self-auditing process, a certain
kind of critical self-observation which forces standards of behaviour
from below (Simmons/Wynne 1994).
This blueprint for audit practice coincides with ideals of sub-contracted
regulation: it provides distant regulators with a mechanism of control
which engages with and shapes decision processes inside the regulatee.
The audit communicates to the regulator in various ways, the simplest
being a form of certification of compliance. In this way auditors
are a form of 'entrepreneurial gatekeeper' (Kraakman 1986), to whom rights of
inspection have been delegated and for which they provide some form
of attestation or certification of the regulated entity. The regulator's
dream is fulfilled: audit maintains the residues of central oversight
while functioning as the basis for auditee self-reflection and improvement.
Moreover audits are cheap since the auditee pays; audits are located
at the bottom of an 'enforcement pyramid' which can escalate upwards
into more punitive forms of regulation (Gunningham/Prest 1993, 522).(3) In short, auditing reconciles
compliance needs and organizational learning.
This ideal image of what auditing can achieve has fuelled an 'audit
explosion' (Power 1994a; Power 1997) in many different fields.
Audits have become central to the legitimation of a wide range of
entities and groups. From the governance structures of private sector
corporations to charities to psychotherapeutic practitioners, audit
has become an important symbol of acceptability, indicative of ideals
of transparency, accountability and managerial willingness to learn.
To be audited or to say one is doing an audit is to claim institutional
credibility for what one does. However, for all the ideological
momentum that auditing has acquired, it remains an ambivalent practice
and it is unclear what it produces. Indeed, the success story of
auditing has much to do with this ambivalence and its ability to
produce symbols of comfort for anxious rulers (Pentland 1993). At the extreme,
instead of facilitating reflexivity and learning, audit is a form
of elaborate organizational self-presentation, rich in the images
of risk management and assurance which are demanded by a 'politics
of fear' (Bauman 1992). The central question
is whether it is a substantive or merely formal control practice.
The 'audit explosion' represents a distinctive shift in regulatory
style which reformulates, rather than abandons, an older style of
hierarchical control. Auditing can be characterized as a form of
'control of control' operating at the interface between regulatory
and management systems of control. The idea is that control is now
exercised in chains (or layers, depending on the guiding metaphor)
with each link (layer) in the chain primarily controlling its neighbour
by stimulating forms of self organization and control (See figure
1).
Figure 1. Control of Control
It is through this chain that the regulator, ultimately the state,
and the regulated are linked in a form of 'mutual' regulation. The
former enlists the competence of the latter by delegating control
along the chain and, in return, is provided with appropriate signals
of regulatory compliance. The latter derives legitimacy and market
power from state endorsement of competence and is disturbed by audit
processes into developing systems of control which, through both
internal and external audit processes, can be self-observing. Auditing
provides the crucial link in this chain of control, mediating both
state and organizational objectives; it faces both ways at once.
Applied to figure 1 the idea of control of control means that the
state controls and certifies the external audit process while maintaining
its own inspectorial capacity. External audit concerns itself primarily
with organizational systems of control, particularly the internal
audit function itself. In turn, the internal audit function, which
is a 'higher' element of the management system, observes and reports
primarily on the operation of that system rather than on the organization
activities directly. Finally, the management system of control itself
observes the first order activities of the organization itself,
made visible to the control system by some form of accounting for
performance. The idea of 'control of control' means that auditing
processes are more indirect than is commonly imagined; they seek
to observe and stimulate the development of control systems and
they verify systems' structure and operations. This is effectively
the 'observation of arrangements for self-observation' and the 'control
of control' structure is implicit in regulatory initiatives in many
different areas. The hope is that such an approach will stimulate
responsible self-observation and learning by organizations. However,
the control of control ideal is often problematic in practice.
First, the form of certification which flows from left to right
in figure 1 is low in informational content and deliberately so.
What tends to be important is that an audit is done, not
what is done. This means that control of control does not
necessarily correspond to the openness and transparency that is
often claimed for it. Consequently, audits require that auditors
are trusted: if audits are to make the practices of auditees acceptable
and credible then the auditor must also be a legitimate actor. Hence,
the audit explosion has been accompanied by a wave of state sponsored
auditor-accreditation initiatives (Gunningham 1993). This has been
most conspicuous in the environmental auditing realm, but is also
evident elsewhere. The state delegates and certifies auditing competence.
Second, audits are not as neutral in their effects as the idea
of observation suggests. Audits 'make things auditable' (Power 1996) because they require
individuals and organizations to be made visible in a manner which
conforms to the audit process. This means that auditing actively
stimulates the development of systems and the related forms of accounting
for performance which make the control of control possible. Audit
is not just a link in the chain of control pictured above; it actually
determines the form of those links. This suggests a close relation
between organizational accounts and the forms of auditing which
validate them; audit presupposes a domain of auditable facts. In
the case of financial audit, these 'facts' have been around for
many years and get revealed in the production of financial accounting
statements. However, in the UK in the 1980s and 90s audits have
functioned for the first time in many organizations where very few
formally auditable facts existed. In these cases a control of control
structure like that in figure 1 needed to be created and the auditable
facts of performance had to be constructed by means of an accounting
and control system. Once this structure is in place, audit can function
as the control of control. For example, in the case of health care,
a control of control structure based on figure 1 can be constructed
(see figure 2).
Figure 2. The Structure of Medical Auditing
These different links are becoming explicit, formal and distinct.
Historically, the self-observation of medical practitioners was
a private, local and ad hoc affair. In recent years in the UK there
has been considerable experimentation with forms of clinical accounting
and management control systems which would reveal the 'facts' of
practice and which would thereby also make medicine auditable. Most
non-financial health practitioners understand the concept of medical
audit and its variants as this process of accounting. In many instances
it is like an internal data gathering exercise in which doctors
ask themselves how they can improve clinical procedures. Much of
the practitioner support for auditing of this kind is really the
local enthusiasm of those who wish to improve practice and audit
is the label they choose for this enthusiasm. It is a basis for
explicating and improving local procedures, for building group trust
and commitment and for providing newly visible facts as a basis
for intervention and improvement. In its pure form it is reflexive
in Beck's sense and there is a potential for the recognition of
self-produced risk in the form of misdiagnosis and patient mismanagement.
Figure 2 suggests that these self-auditing practices make the practice
'auditable' in another important sense: clinical accounting makes
the external evaluation of activities thinkable and possible. The
structure in figure 2 is still evolving in the medical context and
there is still very little systematic knowledge about the effects
of external audit on the first order practice or about how local
'self-audits' to the left get coupled to broader programmes for
control, supervision and evaluation on the right (Power 1997, chapter 5). In medicine
service purchasers have begun to make self-auditing arrangements
a contractual condition. Some contracts even require that these
local self-audits get externally verified and certified by an auditor
in a manner very similar to general quality assurance initiatives,
such as ISO 9000. Although many medical practitioners are uneasy
about these developments, the control of control structure in figure
2 is becoming institutionalized
The third issue is that, in mediating regulatory bodies, service
purchasers and first order organizational activities (producers
and service providers), auditing provides a problematic conjunction
between different logics: service quality evaluation and cost-effectiveness.
Although it is not easy to provide any a priori judgement about
the effects of these disparate logics, two points are worth making.
First, a logic of effectiveness based on need and one based on economy
and efficiency may often point in different directions. In order
for audits to manage this potential conflict there must be extensive
investment in making these two logics compatible: a cost effective
and efficient health service must also be an effective one; superior
environmental performance must be made compatible with cost savings
for organizations and so on. In short, audits must produce comfort
and not conflict. They do this by tending to concentrate on systems
values, the next link in the chain of control rather on than first
order activities. In short quality is a function of systems rather
than the activities which these systems control.
Fourth, the right hand side of figure 1 suggests that state regulators
and other bodies are delegating regulatory arrangements and using
sub-contracted audit as a basis for maintaining oversight. This
is only a slight exaggeration; the rise of audit as the control
of control is a challenge to other inspection and assessment type
practices which typically attempt direct observation of first order
activities. Inspection is becoming more like audit and in many fields
it is the arrangements for self-inspection which are being inspected.
Forms of self-inspection or self-audit (internal audit) are becoming
standardised around a management system which has two faces
or surfaces. The inner face corresponds to local needs for systematic
knowledge and control; the outer face makes evaluation and audit
of the system possible. The outer face provides a basis for certification
of internal control systems and is central to the structure of control
of control. The management system also provides a 'buffer' between
the external auditor and an evidential base grounded in the complex
outputs of the audited activity. In this way, external audit which
certifies the operation of the system is possible because it is
not inspection, because it does not look closely at specific
service outputs but only at the operations of the system. The certifying
auditor does not, like an inspector, require expert knowledge of
the auditee but only a more abstract and portable knowledge of systems
(Power 1995).
If this is generally correct, many 'audits' cannot automatically
be identified with surveillance and the 'audit society' is not simply
a surveillance society (Dandeker 1990; Lyon 1994). Audits may provide images
and signs of surveillance but they do not in substance do this;
they are a control of control. They operate in the realm of feasible
oversight, are cheaper than inspection and often generate symbols
or badges of control which are in excess of what they actually do.
This is what financial auditors call an 'expectations gap' between
what the public and regulators demand (e.g. that auditors detect
fraud) and what auditors can really do (review systems for weaknesses).
Although financial auditors complain about this expectations gap,
they cannot really do without it. Public misinterpretations of the
symbols of comfort they provide in audit reports is essential to
their market success. The lesson is that the control of control
structure of regulation must remain poorly understood because if
we cannot know the risks we face, we must nevertheless act as though
we do (Douglas/Wildavsky 1982). A particular
style of auditing has become institutionalised as a mechanism for
acting as if we know the risks we face, for processing and
controlling risk and for the production of signs of control. Audits
supply images of rational control in a fragmented postmodern world
which increasingly produces 'not material objects, but signs' (Lash/Urry 1994, 15) or badges.(4)
Two areas where this style of control of control is particularly
evident are environmental auditing and the institutional responses
to the risks generated by trading in financial derivatives.
Environmental auditing
In the case of environmental auditing, much regulatory and industry
energy has been expended on trying to define what it is and who
should do it. These debates reflect competition in the field (Power
forthcoming). Whatever else can be said, environmental audit is
not inspection and this is one reason why the US Environmental
Protection Agency has been cautious in its endorsement of the practice
(Bregman/Jacobson 1994, 221).
It is not a critical appraisal and reinternalization of environmental
impacts; it is conceived primarily as a 'management tool' capable
of sending appropriate signals to distant authorities. Environmental
audits are essentially a form of control of control in the sense
described above. The two prominent schemes which have been developed
in Europe are BS 7750 (incorporated into the ISO 14000 series) and
the European Union Eco-Management and Audit Scheme (EMAS). Both
are voluntary schemes. Although EMAS has more developed reporting
implications, both schemes emphasise the importance of a management
control system whose operations can be observed. The primary role
of the external verifier (EMAS) and certifier (BS 7750) is to attest
the proper functioning of the management system, an attention to
procedure rather to than the output of the auditee (Simmons/Wynne
1992, 215). Figure 3 provides a schematic overview.
Figure 3. Environmental Control of Control
Both schemes can be regarded in part as variants of a general model
of quality assurance in manufacturing systems. Quality, environmental
or otherwise, is not so much incorporated directly into a product
or service but into the process which produces them (Brüggemeier 1994, 90). This
shift makes possible a style of external auditing as the certification
of a quality assurance system rather than of the products
and services themselves. The systems emphasis within environmental
auditing has been criticised as misleading and bureaucratic, particular
by those who favour direct inspection rather than chains of control
of control.
Environmental auditing developed in the USA from forms of private
self-auditing with the aim of minimising potential liabilities.
Now the practice has begun to embrace forms of public disclosure
(Bregman/Jacobson 1994, 220)
and the environmental audit 'quality' label is a form of certification
intended to enhance trust and confidence in the product or service
(Simmons/Wynne 1994). The control
of control structure of environmental auditing reflects a chain
of certification which does not directly and explicitly communicate
information but signals it indirectly. Because of this environmental
audits have a problematic relation to transparency. They produce
a second-hand form of assurance that someone, the auditor, has looked
at the service or activity. But this is not a kind of transparency
which invites or could stimulate wider discussion; environmental
audits are not, and are not intended to be, democratic practices;
they may even make auditees less transparent and more obscure to
stakeholders (Simmons/Wynne, 1994). At worst
the control of control structure insulates the auditee from outside
inquiry; it does not stimulate a "careful balancing of arguments"
(Royal Society 1992, 166). From
this point of view, the question is whether environmental audits
are in reality tools of pacification rather than exemplars of 'reflexive
modernization'. Much depends on the role of the control of control
structure in fulfilling regulatory hopes by stimulating substantive
organizational learning and improvements with unequivocal environmental
benefits.
Like Beck in his more optimistic moods, Ladeur (1994, 322-3) describes environmental
audits in terms of their potential to activate "new forms of self-observation"
within a "more flexible 'proceduralized' firm. (...)The main principle
of these environmental management systems should be the generation
of more risk information." In other words, a procedural internal
reorganization of the firm is a precondition of reflexive regulation.
The danger is that the re-managerialization of risk through auditing
schemes may drift towards values of certification to please regulators
and purchasers rather than toward new opportunities for recognising
and acting upon the self-production of risk. Such a development
may not offer the prospect of a paradigm shift, a new consciousness
of self imposed risk. Rather, there is a danger that organizations
look increasingly inwards at their structures of risk management,
and close off, often defensively, possibilities for greater 'environmental
resonance'. This is the main problem with a regulatory style based
on control of control.
Financial Derivatives and Risk Management
Risk is conventionally regarded as a measure of the dispersion
or variation in the economic returns to be expected on stocks and
shares. Diversification is a rational basis for managing and minimising
this risk, and this has been formalised in terms of portfolio theory.
This theory tells us that rational economic agents who diversify
are left only with undiversifiable or 'systematic' risk. The latter
is the risk of the market as such rather than the specific share.
These market risks appear impersonal relative to individual decision
makers; they can be regarded as the environment of their risk calculations.
However, even these risks can be 'managed' by the use of derivative
financial instruments, derivative because their value is linked
to underlying market variables such as the price of a stock, a commodity,
interest rates or even a market index. Derivatives have therefore
become essential to sophisticated economic agents who wish to manage
the risks they face. Financial instruments with contingent characteristics
(options) can be used to offset these risks. These instruments can
also be used to speculate or bet on changes in the market variables.
The diversification of risk via financial management provides a
metaphor for the diversification of responsibility. Individual traders,
with the possible exception of the misleadingly titled 'hedge' funds,
do not connect what they do with such seemingly systematic phenomena
as market volatility, which they experience as external to themselves.
In financial markets it is as Beck (1992b) has put it: everyone is
cause and effect and thus non-cause and therefore not responsible.
However, financial regulatory authorities have a political responsibility
for market stability regardless of their actual capability for control.
In the 1990s, these authorities have been reacting to the implications
of derivatives. In the wake of the recent demise of Metallgesellschaft,
Orange County in the USA and Barings Bank there is a conspicuous
popular demonology of derivatives: these instruments have been described
as an economic 'contagion.'(5) Regulatory anxiety is
highest in the case of what has come to be called 'systemic risk'.
This is the risk that the whole financial system could be affected
'domino-style' by the failure of a single large counterparty. Individual
traders in derivatives principally face two types of risk: market
risk that the market variables which define the derivative instrument
(e.g. exchange rates, interest rates) may move unfavourably and
counterparty risk where, even where the market moves favourably
for one party, it has moved sufficiently for the counterparty to
be unable or unwilling to pay. The worst case scenario is a system
meltdown triggered by counterparty failure and its knock-on effect
to compensation and insurance mechanisms.
In the field of derivatives trading, an emerging pattern of control
of control is clearly evident. Regulators are engaged in what Luhmann
would describe as 'second order observation' i.e. the observation
of the manner in which risk calculations are made, of the risk of
the 'market risk' calculations by derivatives market traders. Regulatory
response is still evolving but conspicuous among the array of tools
is the demand for improved 'management systems' for derivatives
trading which embody purpose built risk models.(6) A form of 'derivative risk' auditing
has begun to emerge which reports on the effectiveness of the risk
management system in alerting management to any potential risk rather
than directly on the nature of the specific exposures a firm may
face. Such a system is very similar in structure to the environmental
management systems of BS 7750 and EMAS: there must be a policy,
monitoring of compliance with the policy and independent review
and audit (Touche Ross, 1994). Once again, figure
1 can be adapted to the case of derivatives management.
Figure 4. Control of control for derivatives trading
As in the cases of medical and environmental auditing, the structure
of figure 4 is still developing, but its attraction as a regulatory
approach in this context is clear. The intention is that financial
organizations are made aware of the self-production of risk to themselves.
Self-auditing through 'stress tests' and other forms of systematic
knowledge of risk exposure simultaneously control the risk that
would be exported to the system as a whole if the organization failed
to fulfil its obligations as a counterparty. Auditing is particularly
attractive in this context because regulators lack extensive inspection
capacity both in terms of knowledge and financial resources. But,
importantly, it also provides the system with images of self-control.
Auditing makes regulation in this most difficult technical area
look possible and, above all, manageable by providing the link between
the aspirations of distant regulators and those of profit oriented
traders. Financial organizations are coming to accept the merits
of risk management systems and the need for structured and timely
self-observation as a condition of their survival.
IV
Social theorists, like Ulrich Beck, have identified a number of
tendencies within late twentieth century societies. While much has
been written about the essential centrifugal and fragmenting forces
which operate, relatively little has been written about the growth
of compensating structures which seek, in some broad sense, to 'hold
things together'. Auditing in North America and the UK fulfils a
complex mixture of functions; it is simultaneously a form of a confessional,
a method of policing, a stimulus to learning and a public relations
exercise. It attempts to offset the decline of a central control
capability by the internalization of compliance and control. In
this broad sense, audit has become a substitute for law.
At the centre of the audit process is the management system which
is conceived as an opportunity both for organizational learning
and for compliance with desirable social ends. The idea and practice
of a management system internalized by a regulatee is an important
regulatory resource. Such a system makes audit feasible both economically
and epistemically. In Beck's terms, the 'fissures and gaps' between
social and scientific rationality are patched over in the management
system and its 'promise of security'. Inspection of outputs might
be too costly and may produce awkward conclusions; it also requires
the inspector to know something about what is being inspected. The
management system provides a surface which makes a certain kind
of certification based audit possible; it is a buffer between the
auditor and what the organization really does. And the auditor does
not want to stray beyond her brief, beyond the comfortable world
of the management system and the production of comfort. Audit is
a style of regulatory response which restores the mission of regulation;
it produces politically important signs of control and of compliance.
As part of a chain of 'control of control' auditing provides comfort
that the next link in this chain, a control system, is functioning
according to its blueprint.
The cases of medical, environmental and derivatives auditing suggest
how the internal creation of a management system has become a particular
style of risk management. The ambivalence of what audits produce
and their lower cost (relative to inspection) is their attraction
both to regulators and to auditors since the chain of 'control of
control' fragments responsibility. When things go wrong on the right
of figure 1 above, such as a financial or environmental scandal,
who can be blamed? The question is difficult to answer and financial
auditors claim that they are often wrongly accused. The regulatory
style which auditing represents cannot unproblematically be regarded
as evidence of 'reflexive modernization' in which the self-production
of risk is both internalized and opened out to dissenting groups.
Audits are generally private affairs and local self-auditing rarely
gives rise to greater transparency and participation. Furthermore,
auditing is not merely a neutral monitoring device in a chain of
control but acts on the next link in the chain to make itself possible.
The effects of this kind of auditing remain poorly understood.
In the end environmental 'resonance' in Luhmann's terms may tell
us less about the dangers we 'really' face and more about the 'risk
experts' and their practices who become trusted (Douglas/Wildavsky 1982). This is
long way from the provision of forms of information, either internally
or externally, which could generate new conceptions of responsibility,
a new self-observation of the self-production of risk. But is there
nothing to be salvaged from auditing which suggests the emerging
transformations described by Beck? Could auditing actually be a
vehicle for a reflexive modernity? The question is whether, for
all the problems described above, the control of control structure
in all its different forms may nevertheless create the kinds of
"social entanglements or commitments" and "regularized forms of
openness" (Selznick 1994, 397) which make organizations
more sensitive and porous to their environments. Much will depend
on whether regulators can stimulate audits which really do mediate
between general principles of control and accountability which have
a populist basis, and internal procedures capable of uniting technical
and moral competence. This is ultimately an empirical question and
in this essay I have attempted to temper some of the unguarded optimism
and enthusiasm which has accompanied the 'audit explosion.' It should
also be remembered that Beck is correct to suggest that the 'institutionalized
non-management of problems' is only one more disaster away from
abandoning its commitment to the production of comfort
|