The practice of risk management: Silence is not absence
- First Online:
- Cite this article as:
- Corvellec, H. Risk Manag (2009) 11: 285. doi:10.1057/rm.2009.12
In contrast to risk management studies on organisations that overtly deal with risk, this article explores organisational risk management in a context in which risk is more or less absent from managerial vocabulary or organisational communication. It presents a single case study of a Swedish public transportation authority in which managers actually attend to a multitude of risk matters through contracts, a selective view of responsibility and dialogues, but without explicitly referring to them as risks. Two related claims are made on the basis of this case study. One is that the practice of risk management needs to be decoupled from the theories of risk management; another is that risk management practices do not need to be explicit but can be embedded in the managerial tactics (after De Certeau, 1990) that characterise the organisation's operational mode. Put concisely, silence does not necessarily mean the absence of risk management. This calls for a redefinition of the boundaries and nature of risk management theory and practice.
Keywordsrisk managementpracticePublic-Private Partnerships (PPP)public transportationSweden
The dynamism of risk management research substantiates Ulrich Beck's (1992) thesis that a characteristic of late modernity is to be obsessed with risk. A comprehensive body of knowledge on the management of risk that is both sensitive to contextual contingencies and amenable to integrative efforts (Renn, 2006) has emerged from the study of activities that involve the possibility of spectacular accidents, such as mining (Sauer, 2002), fire-fighting (Weick, 1993) or space travel (Vaughan, 1996), as well as activities that have the potential for major catastrophes: nuclear power accidents (Perrow, 1984), a systemic financial meltdown (Crouhy et al, 2006). Even activities that tally many individual deadly accidents have been attended to, for example, the construction industry (Gherardi and Nicolini, 2002).
Scholars from many disciplines have devoted careful attention to depicting how organisations can identify, manage or communicate risk. An array of risk regulation regimes (Hood et al, 2001) has been mapped, together with the national differences that exist between how public authorities behave to mitigate risk aversion and enjoy trust among the public (Löfstedt, 2005). Business leaders are invited to develop an understanding of the changing nature of risks in a global era (for example by Cleary and Malleret, 2008). For this purpose, there exist numerous procedures to identify, analyse, evaluate and classify risks (see Renn (2006) for a synthesis), inclusive of systemic risks (OECD, 2003). There also exist a range of managerial tools to decide whether and how to avoid, transfer, mitigate or accept risks, both general (for example, Reason, 1997) and industry-specific (for example, Crouhy et al (2006) for the banking sector).
Risk management is a strategic activity (Andersen, 2006) that does not only consist in models, algorithms, checklists or programs. The cultural dimensions of risk (Douglas, 1992) and its management have been repeatedly emphasised. Risk is acknowledged as a situated knowledge mode that actors can adopt or leave at will, depending on needs and circumstances (Boholm, 2003), to deal with the uncertainty of the future in a quantitative manner (Reith, 2004). Professional patterns of communication and coordination are, for example, the cornerstones of work safety routines (Sanne, 1999). Likewise, successful risk communication depends as much on communicating values as it does on providing technical information (Palenchar and Heath, 2007).
Man-made disasters (Turner and Pidgeon, 1997), normal accidents (Perrow, 1984) or high-reliability organisations (Roberts, 1990) are examples of risk management concepts that have entered standard managerial vocabulary. Today, the use of risk management is increasingly featured as a marker of good corporate governance (for example, Drew and Kendrick, 2005); this is true to such an extent that some even consider that to ignore it has become in itself a source of risk for corporations (Power, 2007), societal institutions (Rothstein et al, 2006) or the ecological balance of post-industrial modernisation (Shrivastava, 1995).
An unspoken assumption in much risk management research, however, is that risk management is best studied in organisations that are overtly exposed to significant risk, for example, because of their hazardous technology (Reason, 1997) and the unexpectedness they involve (Weick and Sutcliffe, 2007). Or that it is best studied in companies (for example, Rogachev, 2008) or municipalities (Nilsen and Olsen, 2005) that use systematic and organisation-wide risk management approaches. This is a problematic assumption that focuses risk management research on a narrow set of organisations and prevents risk management scholars from recognising the possible merits of studying risk management in the many organisations that do not explicitly deal with risk. Risk management tends to be reduced to explicit, even formalised, risk management. Correspondingly, knowledge remains comparatively thinner about the management of risk in organisations in which risk is not overtly on the managerial agenda. This is regrettable.
Aiming at a ‘more integrated view of risk’ (Turner, 1994, p. 148), the purpose of this article is to show that even in organisational contexts in which risk management is not explicit and risk is not addressed in a formal manner, the management of risk can nevertheless be systematic and possibly effective. A case study of Skånetrafiken, a Swedish regional public transportation authority, serves as an illustration of this claim. Skånetrafiken is operated through public-private-partnerships (PPPs), an organisational arrangement that involves numerous risks. Nevertheless, risk is relatively absent from Skånetrafiken's organisational communication or managerial vocabulary. This is not to say that Skånetrafiken is operated in a careless way; managers address transportation or PPP-related risk matters carefully, but not necessarily just as risks. Risk matters are addressed from within the organisational modus operandi through contracts, a selective view of responsibility and dialogues with contractors. A key finding is that at Skånetrafiken there is an absence of formal risk management and a reluctance to use a risk vocabulary, but this is not the same as an absence of risk management. Risk management at Skånetrafiken is embedded into the tactics (in the sense given to the term by De Certeau, 1990) of managerial practice (in the sense given to the term by Schatzki (2001) or Gherardi (2009)).
This finding that risk management is embedded into tactics not only invalidates any reduction of the management of risk to explicit risk management. It is also an invitation to look into the many organisational contexts in which the management of risk is not explicit to better understand the details of actual risk management in organisations. The Skånetrafiken case addresses a message to the rapidly growing risk management research and industry: it might be judicious to reconsider the limits, and thus the nature, of risk management in organisations to better account for and make use of how managers deal in practice with uncertain situations (van Asselt, 2005) in their everyday organisational life. To paraphrase Lipsky (1980), organisations are populated with street-level risk managers; it is time for risk management research and practice to fully acknowledge this.
The article begins with a presentation of the Skånetrafiken case, featuring the case organisation, describing the risk that the literature claims PPPs are involved in, and outlining the study's methodology. Next comes a discussion about the relative absence of a risk vocabulary at Skånetrafiken. This is followed by a description of how Skånetrafiken managers actually deal with risk through contracts, responsibility and dialogue. Two related claims are presented in the analysis that follows. One is that the practice of risk management needs to be decoupled from the theory thereof, albeit with caution. The other is that risk management practices do not need to be explicit, but can be embedded in the managerial practices that constitute the organisation's operational mode. Put briefly, silence does not necessarily mean absence. The concluding remarks present a few matter-of-fact consequences of this finding.
The Skånetrafiken Case
A regional transportation authority
Skånetrafiken is a subdivision of Region Skåne, the regional authority for the southernmost part of Sweden. Skånetrafiken was created in 1999 out of a mix of municipal and regional authorities, and it enjoys an exclusive legal right and responsibility (SFS, 1997, p. 734) to offer public transportation services in the region. Skånetrafiken is a public organisation led by an appointed traffic director who is under the hierarchical control of a traffic committee, the board and the general assembly of Region Skåne, all of which are composed of elected politicians.
Skånetrafiken sells more than a hundred million trips per year, or collects nearly two hundred million euros of revenues from ticket sales and a hundred million euros of tax-financed support from the regional government, but it is an organisation of fewer than 200 people. The reason is that Skånetrafiken procures all transportation services from private contractors and operates only a few customer relationship activities by itself. Its role is to plan, lead and evaluate public transportation in Skåne in accordance with the goals set by the politicians who lead the regional authority. About 80 people work with Skånetrafiken's core activity: to operate regional public transportation though PPPs with train or bus contractors, some of which are local companies and others international.
Risks in Public-Private Partnerships (PPP)
PPPs are forms of contractual cooperation between public authorities and the world of business that aim to ensure the funding, construction, renovation, management or maintenance of an infrastructure or the provision of a service (Commission of the European Communities, 2004). They range from relatively simple contract services to complicated design-build-finance-operate-maintain development agreements, through sale and leaseback arrangements or turnkey transactions. Some are organised as a contract between distinct organisational entities; others involve a cooperation of the public entity with the private agent organised into a distinct entity (Commission of the European Communities, 2004). As Grimsey and Lewis (2004, p. 6) put it, ‘[t]he essence of a PPP is that the public sector does not buy an asset; it is purchasing a stream of services under specified terms and conditions’. Duration is what differentiates PPPs from traditional public procurements.
A key trait of PPPs is to involve ‘a risk sharing relationship between public and private promoters, based on a shared commitment to achieve a desired public policy outcome’ (European Investment Bank, 2004, p. 2). This is an all the more important trait that causes a PPP to be involved in all sorts of risks. It first involves project-specific risks. For an infrastructure project, these can be technical risks as a result of engineering or design failures, environmental risks because of adverse environmental impacts and hazards, or force majeure risks involving war and other calamities (Grimsey and Lewis, 2004). Other types of projects, such as a social programme or the organising of an event, involve other kinds of project-specific risks. But a PPP also incurs the risks involved by its being a contractual arrangement, and even more so, its being one between public and private parties. Therefore, a PPP always involves some kind of legal risk, for example, because of ill-designed provisions or conflicting legislations, and a political risk, for example, as a result of a change in political majority and policy. Finally, a PPP encompasses all the risks pertaining to an economic venture: from micro-economic risks, such as a decrease in revenue or a rise in operating costs, to the macro-economic risks of inflation or exchange rate instability.
A PPP is thus characterised by a complex risk picture that mixes technical, legal or economic risks (Leviäkangas, 2007) with site-related ones (Grimsey and Lewis, 2004). Moreover, these risks differ depending upon which type of PPP it is a question of (Phang, 2007), which phase of the project one is considering (Lewis, 2001; Hurst and Reeves, 2004; Loosemore et al, 2006; Ng and Loosemore, 2007), whose point of view one adopts (Ahadzi and Bowles, 2004; Brown and Potoski, 2004; Zitron, 2006; Taylor, 2007), or whether one adopts a micro, meso or macro perspective (Bing et al, 2005; Ng and Loosemore, 2007).
The political rationale of PPPs is to achieve the best possible value for public money through risk allocation between the public party and the private party that results in lower overall risk for the project. Optimally, risks should be allocated to the party best suited to manage them, and, theoretically, the profit motive should lead the private partner who is transferred a risk into being effective (Nisar, 2007). Thus, risk allocation is both an incentive and an outcome. Choosing the wrong allocation model or inaccurately evaluating the risk management capacities of each party may have costly consequences and a negative impact on the use of public money (US Department of Transportation, 2007), which is why the literature provides detailed risk allocation guidance. Lewis (1999) proposes a risk-remedy algorithm that asserts which tender has the least cost for achieving the required values. Ng and Loosemore (2007) recommend that risks should only be given to contractors who have the necessary knowledge, ‘risk appetite’, managing ability and the possibility to charge an appropriate premium for taking them. And Grimsey and Lewis (2004) recommend that risk allocation be governed by a combination of service delivery specifications, features of the payment mechanism and contractual provisions.
A noted problem with regard to risk management in PPPs is that the resources and risk managing capabilities of the contracting parties can vary considerably (Ng and Loosemore, 2007). Rules and other conditions of the project can change so that new, unforeseen risks may emerge after the passing of the contract. Furthermore, it is not always possible to decide whether a risk should be allocated to the party that has the greater ability to reduce the probability of occurrence, or to the party that has the best ability to deal with the consequences of the negative event that the risk refers to (Leiringer, 2006). Moreover, authorities need to trade off project-related risks with hard-to-appreciate political risks; authorities also face a dilemma with regard to risks that neither party can control (Nisar, 2007). All PPPs are not successful (for example, Shaoul, 2003; Hurst and Reeves, 2004), and there are examples of public authorities having to pay for PPP projects that run into trouble (Renda and Schreffler, 2006). Nevertheless, projects might be too opaque for a reasonable risk assessment to be possible (Hood et al, 2006), whereas the accounting techniques that determine a project's value for the money are not politically neutral but potentially controversial (Shaoul, 2002). Policy makers and practitioners are therefore recommended to proceed with great care and sensitivity to the specificity of every project.
To summarise, PPPs are an organisational arrangement involving numerous risks that are essential to manage properly if public money is to be spent efficiently. But this management involves considerable practical difficulties. It is with this in mind that the author started his fieldwork at Skånetrafiken: to explore how risk decisions are made.1
This is a qualitative single case study with an illustrative purpose. The fieldwork took place during 2007 and 2008. It consists of a systematic analysis of texts issued by Skånetrafiken or its contractors, both for internal and external use, and media coverage of local transportation in the local press. It also consists of 18 interviews. Almost all of Skånetrafiken's top managers, several middle managers and front-line personnel have been interviewed for between 1 and 2 hours, some of them several times. These interviews have taken place at Skånetrafiken's offices in Hässleholm, Lund and Helsingborg, as well as aboard trains. The author has also attended a series of internal management meetings and participated for more than two years at the Company Council where Skånetrafiken invites its contractors to inform them of its results and plans, and to hear about their concerns. Longer interviews have also been conducted with top and middle managers at one of the main contractor's offices, and with the developer of the national system for incident reporting. A telephone interview was conducted with the regional risk coordinator. Most interviews have been discussions rather than formalised appointments, often using as a starting point something related to a meeting that the interviewee and the author had attended. The author has even been a daily user of Skånetrafiken's services for more than 20 years, which has provided uncountable opportunities to make informal observations and chat about Skånetrafiken with employees and co-travellers.
This study is grounded in an absence of a risk vocabulary at Skånetrafiken, as described in the next section. It is not, however, a study of the reasons for this absence. It focuses on how Skånetrafiken managers deal with risk in practice, despite the fact that they do not address risk as such. Why there is no social construction of risk at Skånetrafiken is outside the scope of this study. It would be an interesting study, but a completely different one.
Combining Contracts, Responsibility and Dialogue
A relative absence of risk
Considering that Skånetrafiken operates through PPPs that the literature describes as particularly risky arrangements, one could expect that Skånetrafiken managers would be much concerned with risk. Such is not the case, however. Risks are not among the sort of things that they spontaneously mention, for example, at meetings. When questioned about which risks they think that Skånetrafiken faces, they tend to answer briefly, and focus on risks of the brand ‘Skånetrafiken’ being harmed if people accumulate negative travel experiences. If the interviewer persists, respondents may mention a change in national tax legislation, an insufficient railway capacity for the long term or reduced financial support from Region Skåne. Risk does not belong to the common vocabulary of Skånetrafiken managers. It is a term that they seem to reserve for difficulties that could possibly hurt the organisation but over which they do not exert control or influence. ‘We have problems, not risk’, one of them declares in a terminative manner to a persistent series of my questions.
A similar relative reluctance to speak of risk is to be found at www.skanetrafiken.se. A word search for risk and its variants made in November 2007 shows that the term appears no more than 70 times in the approximately 30 web-pages and 700 document pages about the organisation, its mission and functioning. Half of these appearances, moreover, come from the same 167-page handbook for designing bus stop areas. The term is absent from the 2004 to 2006 annual reports. It is also absent from the 2006 activity plan, whereas the 2007 plan mentions that Skånetrafiken risks being perceived as a non-caring company. The same document also mentions that no one shall risk being hurt, either physically or psychologically, or experiencing insecurity when travelling on or working with public transport. Even yearly traffic supply plans refer to risk as materials possibly being vandalised or staff and travellers being subjected to violence; some traffic supply plans refer to operations-related risks such as congestion, collisions or delays; one suggests that contractors run a commercial risk or that public transportation risks losing market shares to private car transportation. Finally, the long-term train strategy mentions the operational risk that growth-related goals might not be met if track capacity is not increased in due time. It also mentions the economic risk that ticket sales end up covering less than half of Skånetrafiken's running costs. None of these references to risk is particularly elaborated upon, though: as a rule, they consist of one sentence or two, without any estimation of probability or potential losses, possibly to avoid worrying the public. But risk is hardly a foregrounded theme in Skånetrafiken's communications.
One might wonder whether Skånetrafiken is managed in a careless or incompetent way. But this is not the case. The Swedish reporting system for traffic incidents has not been in place long enough to produce comparative statistics, but Skånetrafiken is usually looked up to in the Swedish world of public transportation. It is known for its growth, high level of self-financing and capacity for innovation. Its managers serve regularly as experts on national projects or evaluation committees. It is rare that contractors appeal to contract attribution. And Skånetrafiken ranks among the regional public transport authorities with the highest level of satisfaction among commuters and the public (SLTF, 2007).
If risk is relatively absent from language use at Skånetrafiken, it is because matters that are discussed in terms of risks in PPP literature are dealt with by means of another vocabulary of contingency: for example, ‘problems’ ‘discrepancies’, ‘imbalance’ or ‘uncertainty’. Skånetrafiken managers address the potentially negative consequences of contingency without identifying such an activity for risk management and producing a discourse on ‘risk’. Let me describe how.
Skånetrafiken is a contracting bureaucracy (Prager, 1994) and contracts are the single most important steering tool of its managers. The 90 PPP contracts that they handle detail the characteristics of the bus lines involved, including routes, the technical characteristics of the vehicles to be put into traffic, and, most importantly, timetables. They also describe quality measurement procedures, quality-related incentives and the economic penalties attached to operational failures such as delays or cancelled travel. Parts of the contracts are standard; parts are specific to the traffic package under consideration.
Contracts do not explicitly mention risks. But when they tell who is to manage which uncertainty and even specify how, in practice, they are allocating risk matters. Skånetrafiken retains the commercial risk matter related to its brand. It also retains the economic risk matter of a downturn in demand and revenues, at least up to the levels of which contracts make a provision for re-negotiation. Skånetrafiken even retains the macro-economic risk matters of inflation, as contracts are price indexed, but tariffs or the financial support that it receives from Region Skåne are not. And Skånetrafiken fully retains the political risk matter of diminishing support by the regional government. Inversely, contracts allocate operational risk matters to contractors, so that Skånetrafiken is shielded from employee or transportation material-related risk matters.
This allocation scheme results from learning, negotiation and decision-making processes that intertwine extra-, intra- and inter-organisational elements. This process started with the deregulation of public transportation in the 1970s (SOU, 2003, p. 67), and has been influenced by various external factors such as changes in the political majority at Region Skåne, the introduction of European law into Swedish legislation or the introduction of gas-driven buses. In recent years, Skånetrafiken managers have developed a greater concern for quality issues, thus increasing quality-related incentives in contracts. Today's contracts express an accumulation of rules of thumb rather than a systematic analysis of risk matters in an effort to reach an optimal risk allocation to the party best suited to handle them, as recommended by PPP literature.
Risk allocation at Skånetrafiken is indeed a matter of power balance between a legally appointed monopsony and its market-based contractors. As a single buyer, Skånetrafiken has many opportunities to engage selectively with risk by designing their own contracts, thereby controlling its exposure to risks. But Skånetrafiken also needs a sufficient number of contractors to find its call for tenders attractive enough so that the competition stays alive. The terms of this power balance are shifting and hard to determine. Skånetrafiken managers have learned over the years how not to press contractors beyond what they can support; not surprisingly, contractors reply that Skånetrafiken often goes too far. The allocation of risk matters through contracts is an evolving matter that is by nature full of conflicts.
Skånetrafiken counterbalances the formalism of contracts with a selective claim for responsibility for what is undertaken under its name. The contractual scheme described above does not imply a disengagement of Skånetrafiken from responsibility, but a definition of what its managers accept to be held responsible and accountable for.
Skånetrafiken managers advocate an ultimate responsibility for providing seamless transportation services. They underscore that ‘contractors act on the behalf of Skånetrafiken’, ‘it says Skånetrafiken on the ticket’ or ‘it is Skånetrafiken's tickets that contractors sell’. Passengers will not need to know which contractor they travel with, especially as they may meet several contractors during the same journey. Passengers will not even be concerned about the fact that Skånetrafiken is operating through private contractors. Skånetrafiken managers consider it their responsibility that the public transportation system will operate trouble-free, but their endorsement of potential problems is not boundless. All complaints about delays should be addressed to Skånetrafiken, regardless of where the failure originates; on this account, Skånetrafiken accepts an overarching responsibility in front of the public, even though it most often economically sanctions the contractor for the failure. But Skånetrafiken turns down any responsibility for accidents because of poor maintenance or individual offences. In such situations, Skånetrafiken managers refer instead to the contractual obligations of contractors or the law enforcement responsibility of the police; thereby they limit their organisation's responsibility. As users tend to blame Skånetrafiken rather than contractors whenever a problem occurs, Skånetrafiken managers often need to precisely define the boundaries of their responsibility in the local press.
This selective (language of) responsibility allows Skånetrafiken to articulate a public service concern with the commercial conditions stipulated in contracts. In terms of risk management, if contracts are ways to allocate risk matters, responsibility is a way to share them. For every problem that affects passengers, Skånetrafiken runs a reputational risk and contractors an economic one. Responsibility generally has the characteristic of not staying constant in quantity when shared, but possibly expanding. Sharing risk matters can therefore involve multiplying them and changing their nature. Skånetrafiken managers’ sense of responsibility does not diminish the contractors’ responsibility; it duplicates it and takes it to a new direction.
Along with contracts and a selective sense for allocating responsibility, Skånetrafiken manages risk matters through dialogue. Contacts between Skånetrafiken managers and contractors are frequent and diversified. Skånetrafiken managers not only meet contractors through the tendering processes, but numerous face-to-face meetings also take place at varied hierarchical levels.
Three or four times per annum, Skånetrafiken's top management invites the top management from contracting firms to Company Council meetings to exchange information standpoints, proposals and criticisms. During these meetings, contractors can, for example, complain that Skånetrafiken plans to introduce new on-board ticket-validating machines, although this is not specified in all existing contracts. At a lower hierarchical level, Skånetrafiken traffic managers maintain close operational contacts with managers in contracting firms. They review the traffic log daily if needed; they discuss timetables or service quality; or they join to meet municipal representatives and discuss traffic planning and operations. Moreover, whenever some major incident occurs, managers at all levels make immediate contacts with their counterparts, especially if the incident is mentioned in the local press.
Dialogues are intended to help find joint solutions to problems and apportion managerial answers, responsibility and blame. For example, take the chronic problem that stones are thrown at buses or trains, with the material result that front or lateral windows sometimes get broken. This is primarily approached as a work safety issue, and does not require the involvement of Skånetrafiken. It is up to the contractor, which is the employer, to take the necessary measures to end the problem, for example, calling parents, children and the local school authorities to a meeting. But if the contractor wishes to close a bus line temporarily, for example, because the trade union safety representatives demand it, Skånetrafiken representatives will take part in the decision, as this affects the level of service. Dialogue helps in finding ways to articulate the responsibility described above with the contractual clauses that bind the parties.
In terms of risk management, dialogues are ways to mitigate and diminish risk to both parties, for example, legal risks induced by regulatory changes. For the long term, dialogues also help contractors mitigate the contracting risk that they may take on when bidding for a new contract, which in turn limits Skånetrafiken's risk that too few bidders answer to its tenders. This is an ideal picture, though. Dialogues take place on the same background of asymmetrical power relationships that contracts do, and not all occasions for dialogue actually result in a genuine dialogue. Contractors complain, for example, that Skånetrafiken all too often uses dialogue to improperly transfer risk onto them and evade its responsibility.
Taken together, contracts, responsibility and dialogue constitute a modus operandi through which Skånetrafiken managers allocate, share and mitigate – critics would say protect themselves from – risk matters. Hundreds of PPPs have produced a habitualisation (Berger and Luckmann, 1966) that provides them with a stable experiential background through which they can process new PPPs. They do not need to define anew, step-by-step, how to proceed. Their experience allows them, instead, to narrow rapidly the scope of choices that have to be made. The product of an incremental organisational learning process, this organisational modus operandi, partly imposed on contractors and partly negotiated with them, has become institutionalised in the sense that it is now a reference for all parties. Most interestingly, it is a comprehensive risk management scheme that hardly makes any explicit reference to risk.
Situating Risk Management in Managerial Practice
A Jourdainian approach to risk management, and its limits
The first lesson that one can draw from analysing how Skånetrafiken managers deal with risk is that one does not need to speak of risk management to conduct risk management. In this regard, Skånetrafiken managers bring to mind Molière's character of Monsieur Jourdain in The Bourgeois Gentleman (1670). Monsieur Jourdain is a wealthy bourgeois, rich through trade but of common birth, who goes to ridiculous lengths to learn how to behave as a gentleman of the nobility. At one point in the play, he hires a professor of philosophy to help him write a note for a lady. When the professor asks Monsieur Jourdain whether he would prefer to write this note in verse or in prose, Jourdain answers that he wants neither. The professor then answers that ‘it's one or it's the other’, which leads Jourdain to make the self-admiring discovery that ‘These forty years now, I’ve been speaking in prose without knowing it!’ As often with Molière, the satire is ambiguous. It targets the flattering professor as much as the apprentice gentleman. But it forcefully reminds us that one can engage in a practice without being aware of the theory behind that practice or the language associated with the theory.
The Skånetrafiken cases illustrate that the practice of risk management can be decoupled from the theory thereof, even in a domain thoroughly covered by the literature. Skånetrafiken managers demonstrate that practitioners are not dependent on being aware of risk management knowledge to manage risk effectively. They give proof of an enactment-based knowledge of risk management (Collier, 2008) based on a repeated practice of contracts, responsibility and dialogue. Like prose for language, risk management can be viewed as a label placed by risk management research on specific managerial practices, and managers do not need to acknowledge this label. The management of risk cannot be reduced to the canonical rationality of risk management experts; it even encompasses the instrumental rationalities of lay practitioners (Horlick-Jones, 2005). Thus, there is a need to redesign the boundaries and re-think the nature of risk management.
A decoupling of risk management theory and risk management practice should be approached critically, though. One could argue that public transportation in Skåne would benefit from Skånetrafiken managers learning more about risk management and its language. There is indeed more in a name than simply a way of pointing at something; a name is indicative of a way of understanding reality and turning it into something manageable that is anchored in a specific social and cultural imaginative faculty (Rosengren, 2006). Risk is an organising idea for decision-making and accountability (Rothstein et al, 2006); it is a means to introduce new modes of individual, organisational or societal governmentality (Dean, 1999). For example, a systematic reflection on risk could provide opportunities for Skånetrafiken managers to focus their attention on the issue, develop a new sense of their activity and identity, and induce some re-organising of their procedures for control (Hutter and Power, 2005). It could help them develop an administrative culture that is concerned with the need to recognise and address possible risks in a systematic, pro-active and reflexive way (Halachmi, 2005). It could likewise help them be prepared to communicate with its stakeholders (Gurabardhi et al, 2005). Molière's satire is an attack on the social excesses of knowledge, not an attack on learning in defence of ignorance. The dramatist would probably agree with Kurt Lewin's famous statement that ‘[t]here is nothing so practical as a good theory’ (1951, p. 169), although it is likely that he would wittingly debate about what characterises a ‘good theory’.
One could also speculate that it might simply be a matter of time before Skånetrafiken managers start to conduct systematic organisational risk management. As Power (2007) shows, the very specific brand of risk management that has developed in the United Kingdom in recent years (based on corporate governance and risk audits, enterprise risk management (ERM) and risk calculation, operational risk and risk regulation) has developed into a normative codex with a domestic and international dynamic of its own. Travelling across borders and organisational fields (Czarniawska-Joerges and Sevón, 1996), risk tends to colonise more and more sides of organisations and societies (Rothstein et al, 2006). It imposes itself hegemonically, not only as a means of managing uncertain situations (van Asselt, 2005), but as an entire rationality and morality of governing people and organisations. To comply with the recent bill on extraordinary events (SFS, 2006, p. 544), Region Skåne has actually ordered Skånetrafiken to conduct a risk and vulnerability analysis of an influenza pandemic. This might be the first of a series of steps toward the development of a formal risk management system.
More critically, one could consider the above analogy between prose and risk management as logically flawed. It actually builds on a partly delusive parallel, namely, that the dichotomy of managing risk versus not-managing risk is akin to the prose versus verse dichotomy. But the prose versus verse dichotomy in The Bourgeois Gentleman is akin to a mathematical partition, that is, a decomposition of a set into a family of disjointed sets, whereas the managing versus not managing risk dichotomy is not. The prose versus verse dichotomy assumes that (a) there is something that is verse and something that is prose, and that (b) any statement is one or the other. In other words, prose and verse form a totality outside of which there is nothing. Such is not the case with risk management. Only those who maintain the strictest objective (or objectivising) view of risk management could claim that it is possible to say with perfect exactitude that this is risk management and this is not. Management is a matter of degree. PPP literature is very explicit on this point: the management of risk in a PPP is something that can be done more or less comprehensively and more or less well, depending upon the circumstances. Managing risk and not managing risk do not stand as two clear-cut alternatives that build a totality outside of which there is nothing. They are more like the two ends of an analytic continuum along which managers move back and forth.
The analogy of risk management and the use of prose in The Bourgeois Gentleman is thus not perfect. It nonetheless remains evocative. Molière's irony bites and Monsieur Jourdain's dramatic discovery resonates pertinently in how Skånetrafiken managers approach the management of risk. It is possible to decouple practice from its theory, and one needs to look for risk management practice beyond explicit risk management, with mindfulness (Weick and Sutcliffe, 2007).
Tactics of risk management
The second lesson of the Skånetrafiken case has already been incidentally introduced, namely, that risk management is embedded in managerial practices. Embedding does not refer here to organisational members integrating pre-set risk management devices into the organisational modus operandi, as discussed in Fraser and Henry (2007). The term refers to the fact that it is through their ordinary managerial practices that managers address risk matters and respond to them.
Schön (1983, p. 60) points out that practice is an ambiguous term. It can refer both to ‘performance in a range of professional situations’ and to ‘an element of repetition’, the two not being fully mutually exclusive. In line with other management studies (for example, Gherardi, 2009), practices refer here to the arrays of human activities (possibly mediated by artefacts, hybrids, and natural objects) that managers participate in and share in the exercise of their professional activity. The term depicts the managerial doings, inclusive of imaginings and sayings, that are organised by the a priori understandings, preferences, rules, routines, goals and structures that characterise an organisation (after Schatzki, 2001). Schematically, managerial practices at Skånetrafiken correspond to how managers design contracts, experience responsibility and engage in dialogue. An outcome of a long-lasting learning process influenced by numerous external factors, these practices are an accretion of experience-based rules that have been institutionalised, and now build an operational mode that is idiosyncratic to Skånetrafiken and its commercial partners.
This accretion does not follow a prearranged design. The management of risk at Skånetrafiken unfolds instead along what one could label, after Michel De Certeau's (1990) analysis of everyday life, the tactics of everyday management. De Certeau, who is a philosopher and not a strategy scholar, defines tactics in contradistinction to strategies. For him, strategies are linked with wills and structures of power. They suppose the calculus of force-relationships within a place that can be circumscribed as proper (the department, the organisation, the industry), and can thus serve to generate relations with an exterior distinct from it (technical, economic, legal or commercial impediments; competitors or regulatory instances; other contextual factors). The rationality present in traditional risk management literature is an instance of DeCerteausian strategies. It supposes that actors can isolate an object of calculation, for example, the PPP, and provide it with a distinctive interiority and exteriority to rationally operate it.
Tactics, on the other hand, cannot count on a proper place, De Certeau (1990) argues. Initiators of tactics, for example, managers, need to carve out space for themselves and their practices within the environments ruled by what De Certeau calls strategies. Skånetrafiken is true enough a place in its own right, but the clauses in contracts are not pre-designed, responsibility is not defined by nature, or confidence in dialogue is not given – to mention but a few examples of what Skånetrafiken managers need to invent to provide their management of risk with content. This takes (sometimes considerable) time. Cunning, even pretence or trickery, is needed in order to avoid setbacks when events are to be manipulated into opportunities. Moreover, tactics are not exerted on delimited objects. Risk management tactics evolve incrementally, for example, from interactions with heterogeneous and circumstantial elements such as a breakthrough in regional infrastructure planning, political whims, engine technology innovation or an increased awareness of climate change. Tactics are full of discoveries and even surprise. They give actors opportunities to display acts and manners through which they ‘seize’ contractual or dialogical opportunities, for example, when EU legislation changes or a new on-board ticket-validating system is developed. With a ground in what ancient Greeks called the metis, that is, practical intelligence, resourcefulness and a sense of opportunity (Detienne and Vernant, 1974), tactics shape their objects permanently, reforming them endlessly in a spirit of disruptive entrepreneurship (Hjort, 2005).
Taking place on a micro-level, risk management practices are embedded in the macro-social web of symbolic, technological, legal or economical elements of prevailing world views. Indeed, practices construe micro-macro linkages (Coulter, 2001). Despite the fact that it refers to non-explicit risk management practices, the Skånetrafiken case illustrates what Turner (1994) calls the convoluted, contested and politicised nature of risk decisions. When Skånetrafiken managers close PPP-contracts, they implicitly follow and provide, for example, an expression for the neo-liberal tenets of new public management. PPPs actually express a belief that as far as service provision is concerned, process is a neutral matter if output is closely monitored; they also express that private actors are assumed to be more effective and disciplined than public ones because of the profit motive; or they assume that competitive tendering is a satisfactory enough proxy for actual competition to promote efficiency and effectiveness. Another ideological climate would generate different managerial practices, risk definitions and risk management practices. For instance, an increased concern for the ecological impact of carbon-dioxide emissions is likely to redefine in the near future mobility and even public transportation growth as risks to be managed. Not in a mechanical or deterministic adaptation to structures though, as De Certeau (1990) notes. Practices function instead as a hearth, the locus where bits and pieces of influential political, economic, symbolic or discursive structures, to name but a few, are combined in specific, but not always clearly identifiable, ways. Situated in endless patterns of contextual embeddedness to which they give an actual expression, risk management practices are observable, but too contingent to be amenable to prediction.
Concluding Remarks: Listening to Practice
Risk management research has its historical roots in the overt management of risk in risk-prone activities. But, whereas all organisations face uncertainty, not all are involved in explicit risk management. As illustrated by the Skånetrafiken case, organisational risk management can be non-explicit. The management of risk can be taken care of by managerial tactics that do not openly refer to risk, but nevertheless address in a comprehensive and effective manner the risk matters attached to the organisation's activity. An organisational silence about risk does not necessarily imply an absence of risk management, the reasons for this silence being a potentially important but different issue. The management of risk can simply be embedded beyond explicit recognition in the minutiae of managerial practice.
Managerial vocabularies are important traits of an organisation's life, but they do not cover actual managerial practices in all their richness. Practices have layers that the terms used to render them do not necessarily render. This is why to understand the nature of risk management, it is necessary to go beyond what managers tell about what they do. There is a need to unfold their practices in the face of hazards and uncertainty, inclusive of what these practices reflect in terms of organisational learning, ideological options and organisational power games, even in organisational contexts in which people do not openly use a risk vocabulary to deal with contingencies. Risk management research has nothing to lose from a clearer acknowledgement that the management of risk in organisations is richer in forms and nuances than as thus far conceived in risk management. On the contrary, it can only gain new insights about the scope and nature of risk and uncertainty management in organisations from a systematic focus on how managers actually apprehend risk matters.
Finally, that risk management practice can be (cautiously) decoupled from risk management theory should stand as a warning flag for anyone engaged in launching formalised risk management schemes into an organisation. Because practice is richer than its own vocabulary, there is an imperative need to take into account the richness of practice by street-level risk managers (after Lipsky (1980)) when preparing the implementation of risk management schemes. A good dose of contextual sensitivity, flexibility and critical reflexivity is required. Do not stop at what is said, especially if it stays at a formal description of the organisation. Instead, look carefully into what managers actually do. Follow the logic of everyday managerial practice to broaden one's view of what constitutes risk management; ponder over how the risk management scheme under consideration can be articulated with existing organisational practices of risk management. Formal risk management schemes are locked into a very specific view about the nature of uncertainty and how it should be dealt with. Mechanical implementations of set risk management models are not only likely to destabilise and disrupt existing practices of risk management, but they may even increase the risks that the organisation is exposed to. To avoid such a hazard, it is recommended to commence any implementation of a formalised risk management scheme by starting with a careful listening to the practice of risk management, even if it is silent or close to it.
Research project ‘Decisions on risk within public transportation’ part of the Transam research program, co-financed by the Swedish Rescue Services Agency, the Swedish Emergency Management Agency, the Swedish Maritime Administration, the Swedish Road Administration, and Vinnova (Research Grant: SRV dnr 621-6092-2005).
Thanks to Åsa Boholm, Vicki Johansson, Ragnar Löfstedt, Annette Risberg, Åsa Thelander, as well as two anonymous reviewers for their constructive comments on previous drafts of this article, and to Pat Zukowski for her editing help.