Risky business: corporate risk regulation when managing allegations of crime

This article seeks to develop an understanding of how corporations manage their social and ethical responsibilities, whilst simultaneously facing allegations of crime. It draws on the case of TeliaSonera, a Swedish corporation prosecuted for committing bribery in Uzbekistan. The article begins by introducing the reader to this so-called ‘Uzbek affair’, before exploring how corporate governance has shifted in the new regulatory landscape, and the role CSR plays in this landscape. Secondly, it critically deconstructs TeliaSonera’s regulatory regime, in order to analyse how the risks of corruption and bribery are managed in the aftermath of the Uzbek affair, and what functions this management fulfils for the corporation’s front stage performance. By drawing on the distinction between primary and secondary risk management as proposed by Power [1, 2], the article argues that the regime in place to manage social and ethical risks simultaneously manages reputational and profitability-related risks, thus illustrating the dual functions of corporate risk management. This duality, it is suggested, is a consequence of the responsibilisation process in which corporations have become self-regulating entities, which allows for a ‘risk management of everything’ (cf. [1]).


Introduction
Critical criminologists have long recognized the social harm that stems from the conduct of multinational corporations, in their own pursuit for profit (see, e.g., [3][4][5]). The task of safeguarding human and environmental rights has traditionally been an obligation of the nation state ( [6]: 255), but corporations have in the last decades acknowledged their responsibility for implementing measures to prevent harm against the public good ( [7]: 178). This idea is often conceptualised as 'Corporate Social Responsibility' (CSR), which denotes that corporations ought to manage their business in a manner that secures not only private, but also public, interest [8]. This new corporate 'social position' follows the shifts in the regulatory landscape, in which state power has been redistributed and dispersed across different governing bodies, blurring the 'private-public' dichotomies ( [8]: 421). Since CSR is predominantly managed through voluntary measures that exceeds corporations' legal responsibilities, such as internal 'codes of conduct' and ethical frameworks (see [9]), attention becomes directed to the manner in which corporations have become a new site of control (cf. [10]).
Taking this new corporate position as a point of departure, this article analyses how a Swedish corporation manages its social responsibilities whilst simultaneously facing allegations of crimein other words, when the failure to secure socially responsible practices has already occurred. The corporation of interest is TeliaSonera, a Swedish telephone company and mobile network operator, which has been prosecuted for completing illegal monetary transactions in Uzbekistan. By conducting a thematic analysis on a selection of corporate documents, the aim of this paper is to (i) analyse how risk regulation regarding bribery and corruption has been transformed in the years following the so-called Uzbek affair, and (ii) analyse what functions these transformation fill for TeliaSonera's front stage regime.
Rather than being concerned with how CSR could be used discursively as a response to allegations of crime and corporate scandals, this article takes an interest in the logics of corporate risk management and the practices that follow. Because of the dispersal of power and control within the regulatory landscape, this study sides with Braithwaite [43] suggesting that criminology must widen its scope to account for sites of monitoring and enforcement beyond the branch of criminal justice and traditional means of crime control. Therefore, analysing corporate risk management contributes to existing research by illustrating the decentralisation of the current regulatory landscape, how new sites of control manage their state-imposed responsibilities, and the logics within such a site.
The article is organised as follows. The next section offers a brief description of the Uzbek affair and its aftermath. Thereafter, the article sheds light on previous research on corporate risk management in general, and CSR in particular, while also introducing the article's theoretical framework. TeliaSonera's regulatory regime is then deconstructed into the three stages of risk regulationstandard-setting, monitoring, and enforcementand the dual functions of risk regulation is discussed. Lastly, TeliaSonera is situated in the wider regulatory landscape, and corporate risk regulation is discussed in relation to the nation state.

The Uzbek affair
The corporation TeliaSonera arose through the merging of Swedish Telia and Finnish Sonera, yet the corporationcurrently known as Telia Company, following a name change in 2016has business operations expanding well beyond the Nordic market [11]. Both the Swedish and the Finnish states are shareholders in Telia Company, yet the Swedish state is the principal shareholder as it holds 37,3% of the corporation's shares [12]. In 2007, TeliaSonera began conducting business in Central Asia, primarily Uzbekistana country known for having one of the highest corruption levels in the world [13]. Until late 2016, Uzbekistan was governed by president Karimov, whose regime has shown little respect for human rights throughout the years [14]. In September 2012, a few years after TeliaSonera's establishment in Uzbekistan, a Swedish journalistic television show claimed that TeliaSonera has completed monetary transactions to a local Uzbek partner with the process of obtaining 3G licences. This 'local partner' was revealed to be a small corporation based in Gibraltar with close links to Gulnara Karimova, the daughter of late president Karimov. In total, the transactions amount to more than 230 million Euros [15]. Shortly following this disclosure, national prosecutors classed TeliaSonera's transactions as constituting bribery, and a criminal investigation was initiated ( [16]: 187). In September 2017, three former TeliaSonera executivesincluding the former CEO and the former Vice Presidentwere prosecuted with bribery charges [17].
The Uzbek affair has been thoroughly covered in national media and journalists have raised questions about the legality of TeliaSonera's actions. Furthermore, representatives of the Swedish state have publically criticised the corporation's apparent disregard for human rights. As the Minister for Financial Markets, Peter Norman, put it: BNew and deepened knowledge regarding issues of human rights and corruption is needed in the Board of Directors, knowledge that is not present in the Board today( [42], my translation). TeliaSonera has provided several public responses to the allegations of crime, both in the national media and through their own channels (for an analysis of these accounts, see [16]). At the inter-organisational level, one of TeliaSonera's remedies for the Uzbek affair has been regulatory expansion: In the last few years, we have understood the depth of the unethical and possibly illegal practices in region Eurasia.
[…] To remediate the issues we have worked extensively with analysing our risks, investigating potential fraud and corruption schemes, training employees and building a culture where no one is afraid of speaking up when they see potential or actual corrupt practices ( [59]: 76).
Thus risk regulation, with regard to bribery and corruption, has been transformed and expanded in the aftermath of the Uzbek affair. These developments, and the function they fill, are the units of analysis in this article. In the following section, a theoretical framework for understanding modern-day corporate risk management will be provided, beginning with a description of the corporate risk regulation of today.

Existing research and theoretical setting
To understand the functions of corporate risk management, one must first understand the transformations within the wider regulatory landscape. It is a landscape that adheres to neoliberal rationalities encouraging processes of de-regulation, primarily within the market and civil societyspheres that are perceived as relatively autonomous and thus released from external interference ( [18]:177). But simultaneously, the commercial and industrial life has witnessed an increase of regulation, which is particularly evident in the rise of internal control systems ( [19]:242; [20]:36). Thus, re-regulation rather than de-regulation characterises the regulatory landscape of today ( [21]: 16), as the exercise of control has been shifted from the sovereign state to become a built-in feature within the market itself ( [10]:517). By governing at a distance, the state decides on the ends of government whilst relying on the self-regulation of markets to fulfil these ends. This process is known as responsibilisation, and thus captures the way in which governing power has been redistributed among non-state actors and agencies (see [9]:68-68).
Therefore, corporate risk management has experienced a considerable transformation and expansion in recent times, characterised by the growing importance of proactiverather than reactivemeans of managing organisational insecurities ( [19]: 244-245). However, the concept of 'risk' is not static. 'Risk' is commonly defined as the likelihood of an incident that is perceived as a danger in relation to organisational interests ( [22]: 86), suggesting that the meaning of risk is dependant upon the logics within the organisation ([23]: 4). This fosters different regimes toward risk regulation, yet their basis generally consists of three essential stages: standardsetting (the process of setting targets within an organisation); monitoring (the observance of the pursuit of pre-defined targets); and enforcement (the modification of behaviour in cases of deviances) ( [24]: 23ff). By investing in each stage, organisations design their own regulatory regime and decide how to control the pre-defined risks within their own domains.
Extending the idea that risk regulation is dependent upon organisational definitions and interests, Michael Power offers a framework for differentiating between two sets of risk. Drawing on his observations of the expanding audit risk model, Power argues that there has been an important change in the way auditors interprets risk during the last decades. Rather than being concerned with mistakes and misstatements in the reporting process alone, auditors have become increasingly concerned with the risk of themselves suffering from financial and reputational damage ([1]: 58). The former set of risks can be conceptualised as primary risks (risks that the auditors are explicitly charged with managing), whilst the latter can be conceptualised as secondary risks (risks relating to the auditors' own position) (ibid: 59f). The distinction between primary and secondary risks, and the intertwining that may occur between the two, can also be applied when analysing the actions of corporations. Aside from the primary risks that modern-day corporations are expected to manage (e.g. social and environmental risks, as conceptualised by CSR), reputational risk management has emerged as a specific corporate vulnerability in the last decades (see [20]: 129). Take, for example, the experiences of Shell. When the corporation decided to dispose the Brent Spar oil platform into the North Sea, it resulted in a mass boycott of Shell products. The reason for this was that whilst Shell had taken the environmental impact of the disposal into account, the corporation had not considered the ability of external stakeholders, lobby groups and the media to influence public opinion ([2]: 33). Attempting to control the prospect of suffering reputational damage (that in the long run could transform into financial damage, as the case of Shell illustrates) requires secondary risk management, which may be all the more important for corporations facing allegations of crime, such as TeliaSonera.
Previous research on CSR further illustrates how secondary (reputational and financial) risks may be prioritised on behalf of primary (social and environmental) risks. Several authors suggest that corporate commitments to CSR regulation may be primarily rhetorical, in place to neutralise the risks attached to corporate conduct whilst allowing 'business as usual' to continue [6,7,9,25]. Voluntary, international frameworks are often adopted into corporations in a manner that suits their financial interests ([9]: 58; [8]: 433), making it unlikely that corporations would assume CSR unless it fits the corporations' profitability criteria ( [16]: 196). Thus, it is rather unsurprising that a recent meta-study found that the main incentives for investments in CSR were to i) strengthen the corporate image as a 'good citizen', ii) secure management positions, iii) signal the high quality of their products, and iv) reduce conflicts between the corporation and its stakeholders [26]. Thus, CSR regulation may first and foremost be about restoring and maintaining corporate legitimacy: The degree to which regulatory controls are imposed on capital is […] more readily comprehensible in terms of the harms that certain crimes cause to the legitimacy of the markets and associated institutions, rather than in terms of the harms that some crimes imply for people, for our water and air quality, for biodiversity, and so on ( [27]: 11).
The desire for legitimacy is particularly prominent for corporations facing allegations of unethical or illegal conduct, as their legitimacy is questioned in the light of the allegations ( [44]: 3). Crises of reputation and legitimacy due to corporate misconduct are therefore often met with corporate philanthropy and measures to improve social responsibility. To exemplify this notion, Kuldova [28] draws on the case of the Bill and Melinda Gates Foundation, which was established as a direct response to accusations of unlawful monopolization and crippling competitors, damaging the public image of Bill Gates. By Bre-inserting morality into the market^, e.g. by expanding CSR commitments, consumers' attention is diverted from exploitation and violations toward a socially responsible image (ibid: 7; see also [29]). After all, corporations must convince others that its use of power is in fact legitimate and rightful, in order to survive ( [44]: 1).
Drawing on Power's framework, investments in CSR that are based on corporate, rather than social, interests could thus be conceptualised as constituting secondary, rather than primary, risk management (cf. [20]: 149). In this article, the distinction between primary and secondary risk will be used as a theoretical basis for interpreting the functions TeliaSonera's risk management fulfils in the aftermath of the Uzbek affair, and the interests that guide them.

Methods
To fulfil the aim of this article, a thematic analysis was conducted. The analysis was based on official documents 1 describing TeliaSonera's risk regulation: Annual and Sustainability Reports; Interim Reports; documentation from Annual General Meetings; and a selection of Press Releases. 2 Taken together, the documents offer rich descriptions of how TeliaSonera's regulatory regime has been developed, motivated, and evaluated over time. Since this article seeks to analyse TeliaSonera's regulatory regime in the aftermath of the Uzbek affairwhich was uncovered 2012the documents stretch from 2013 to 2015. The analysis was informed by the previously described 'regime' approach, proposing that risk regulation transpires in three fundamental stages: standard-setting, monitoring, and enforcement [24]. In the analysis, these stages were reconstructed on the basis of the chosen documents. When put together, these stages constitute the analytical basis of a risk regulation regime. Whilst this approach could be criticised for limiting the researcher's field of vision, it has the advantage of sensitising the analytical process, which has been theoretically informed from the outset ( [30]: 88). Furthermore, because of the heterogeneity of information conveyed in the material, a more grounded approach would not have been suitable, considering that large portions of the material is of little relevance for this article.
The process of analysing the material began with openly skimming through the documents, with the purpose of sorting out all sections describing risk management and CSR commitments. Since the risks of interest to this article relate to CSR, other sets of risk were neglected. In subsequent readings of these sections, greater attention was paid to detail and focused on anti-corruption and antibribery, whilst mapping out and loosely coding different regulatory practices (e.g. specific units and programs). These practices were subsequently sorted into the three stages within the analytical model of risk regulation. While it was not always evident to which of the three stages a specific practice belonged to, iteratively working on the theoretical analysis on the side helped uncover how the stages relate to one another, and how they together constitute TeliaSonera's risk regulation regime.
When studying corporationsor other 'powerful' actorsthere are a few common methodological limitations. Studying TeliaSonera is no exception. As a multinational corporation, TeliaSonera is in a social position that allows for selectivity in the information that is released into the public gaze, thus (implicitly or explicitly) setting the limits on the researcher's interpretations of their activities. The presentation of the corporation in the chosen documents is characterised by a selected set of general key words and phrases, and takes aim at describing broader developments rather than targeting actual implementation of regulatory practices. Thus, drawing on Goffmans [31] classic concepts of 'front stage' and 'back stage', the empirical basis of this article is TeliaSonera's front stage presentation, as the corporate back stage area remains inaccessible. In the following section, this presentation will be deconstructed, as its transformation in the aftermath of the Uzbek affair will be explored in detail.

Before the accusations
In 2010, prior to the Uzbek affair, TeliaSonera acknowledged that corruption is a substantial risk to the telecommunications industry ( [46]: 14), and stressed the need to fully understand Blocal conditions^in its anti-corruption work ( [47]: 4). Given its lack of democratic leadership coupled with a limited concern for human rights, Uzbekistan is highlighted as a high-risk country for corrupt practices (ibid: 11). However, in the eyes of the corporation, the risk of corruption appears sufficiently regulated through the corporate Code of Ethics and Conduct ( [46]: 66), which was introduced in 2009 (ibid: 4). To enforce the code, TeliaSonera has primarily relied on traditional forms of observing corporate behaviour, e.g. auditing and whistle-blowing systems (ibid: 9, 15), as well as employing external reviewers ( [48]: 12). All in all, the risk of corruption seems well known to TeliaSonera in the years leading up to the uncovering of the Uzbek affair, but its regulatory regime does not appear to be directed at managing this particular risk. As will be shown in the following analysiswhich deconstructs TeliaSonera's regulatory regime into the three stages of risk regulationthe same cannot be said in the years following the affair.

Standard-setting
In any attempt to manage risk and provide security, organisations must first and foremost define what constitutes a risk ( [23]: 85). The means of defining and assessing risk transpires within the 'standard-setting' component within a risk regulation regime (see [24]: 25).
For TeliaSonera, Banything that could have a material adverse effect on the achievement of TeliaSonera's goals^is considered a risk ( [51]: 26), yet sustainability is singled out as a particular risk area. Whilst TeliaSonera prioritises four detailed sets of sustainability-related risk, 3 the corporation has directed particular attention to define and assess the risks related to corruption and bribery in the aftermath of the Uzbek affair. As an immediate response to the allegations of crime, TeliaSonera employed an international law firm with the task of reviewing the corporation's transactions in the Eurasia region, and conducting a risk assessment of TeliaSonera's practices from an ethical perspective [54]. The intention behind the review was for TeliaSonera to gain information on how to take Bthe necessary measures to establish suitable conditions in order to act appropriately and ethically today and in the future^( [49]: 33). Furthermore, TeliaSonera conducted in-depth assessments within each of the high-risk markets in region Eurasia during the years following the Uzbek affair, with the purpose of investigating the risks of corruption and bribery ([50]: 20).(Sustainability Report 2013: 20). This emphasis on defining and assessing the ethical risks within region Eurasia in the aftermath of the Uzbek affair illustrates how the meaning of 'risk' is contingent upon the interests and priorities of the corporation itself, rather than being selfevident constructions (cf. [22]: 93).
The motivation for these risk assessments is displayed in the corporate values and norms, i.e. the standards against which organisational behaviour is to be compared (cf. [32]: 452). These standards allow the corporation to make distinctions between the Bmore and less preferred states of the system^([24]: 23). Because TeliaSonera allegedly operates in Bhighly challenging markets^, the preferred state of the corporation could be represented by its zero tolerance against human rights abuses and corruption ( [56]: 43), suggesting that being socially responsible is an important norm guiding TeliaSonera's risk regulation. This notion is further highlighted when the corporation claims to account for not only private, corporate, interests (i.e. profit) but also public interests, in the regulation of sustainability-related risk after the Uzbek affair: […] sustainability covers all efforts related to how we account for our long-term impact on society and the environment. Our responsibility extends throughout the value chain. We believe that when we do good, it strengthens not only our business but also the societies in which we operate, creating long-term shared value. ( [56]: 66).
As illustrated above, TeliaSonera appears to recognise the social impact of their business activities, and acknowledges that the corporation bears responsibility for mitigating this impact. The target of their operations is therefore not only profitability on the corporation's behalf, but also to 'do good'. Furthermore, TeliaSonera emphasizes that the corporation has a Bduty to have a positive effect^on the communities in which they operate ( [49]: 11, my italics). Thus, by claiming to account for public interest in its regulatory regime, the corporation draws on the notion of itself as a 'social actor' to emphasise its duty to manage sustainabilityrelated risk. However, TeliaSonera does not only use the language of social responsibility to describe its corporate position, but also to describe their business practices. By being active in the telecommunications industry, TeliaSonera states that the corporation attends to Bone of the most profound and basic human needsto communicate^([50]: 6). Thus, the corporation perceives itself as contributing to openness and societal development through the nature of their operations, in spite of the allegations of illegal business practices in Uzbekistan: The Board believes that few tools are better for transparency and democracy than mobile telecommunications, which enable people to communicate with each other and the outside world [53].
Throughout the analysed documents, TeliaSonera highlights the positive nature of their industry and the impact of their core business activities, rather than addressing the risks that these activities might pose to communities. These claims that the corporation create opportunities for societies in which they operate and tends to 'human needs' could be interpreted as an attempt to create the image of the corporation as a 'good citizen' (cf. [26]: 45-46; [16]: 193), and thus represents an attempt to restore corporate legitimacy, which has been questioned and renegotiated in the aftermath of the Uzbek affair.
But becoming a good citizen is not the only standard that TeliaSonera strives to uphold. It cannot be ignored that after all, the main objective of corporations is to create profit for the shareholders ( [45]: 35). In the aftermath of the Uzbek affair, this profitability concern is intimately tied to the realm of social responsibility, as expressed by the Chairman of the Board at one of TeliaSonera's Annual General Meetings after the Uzbek affair: It is my strong opinion that there is a clear link between a long-term approach to sustainability issues and high profitability. In TeliaSonera, as in any company, the customer is king. If we can ensure that we meet their expectations we will also be able to deliver a good return on investment of our shareholders. [58] Thus, by acknowledging sustainability-related risks and securing a responsible business approach, TeliaSonera suggests that the corporation will increase profit levels. Profitability is therefore understood as delivered through sustainability. Sustainability, in that sense, becomes an instrument or a tool for a given end, rather than being the end itself. These notions illustrate that despite rising concerns about the social impact of corporate conduct and the demands for complying with international CSR standards, the primary relationship between society and business remains economic, based on corporate, not social, interest (cf. [9]: 52).
Defining something as a 'risk' implies that it is a threat to organisational interests ( [23]: 3). According to Power ([1]: 61), the most prominent threat for corporations is reputational damage. When discussing socially responsible regulation in the years following the Uzbek affair, TeliaSonera frequently links reputational concerns to sustainability in a manner suggesting that the former, not the latter, is the target of regulation: My ambition is for TeliaSonera to set an example, but also to be a leading company within selected business areas, or as we say, Ethical Business Practices. Our focus right now is on freedom of expression and anti-corruption, areas where we have the burden of proof.
[…] Much time and effort has been spent to restore confidence in the company, and this will continue. ( [57], my italics).
Here, the expansion of regulation is perceived as a means of 'restoring confidence' in the corporation, in the aftermath of the Uzbek affair. When discussing high-risk markets and complicated legal areas, TeliaSonera emphasizes that the risk of operating in these areas are those of Blawsuits that might harm the company^( [58], my italics), and that regulatory failures have the potential to Bnegatively impact TeliaSonera's business operations and its brand^( [52]: 29, my italics). Thus, the corporation presents itself as being at risk of harm in instances of non-compliance with sustainability-related demands. This is illustrated during the first Annual General Meeting after the uncovering of the Uzbek affair, as the CEO suggests that if the corporation's reputation is harmed, it could affect other aspects within TeliaSonera as well, such as the profitability levels in the long run: People's confidence in TeliaSonera as a company is crucial. Our confidence capital is a competitive factor that we cannot afford to be without. It is a necessary prerequisite for building future values. If confidence in the company falters, we take it very seriously. [55].
This quotation illustrates the ways in which reputationor Bconfidence capital^-is understood in financial terms, as it is related to the corporation's profitability. As such, maintaining reputation itself might not be the purpose of TeliaSonera's standard-setting process; rather, the purpose is financial gain through reputational capital.
Thus, in response to the allegations of crime, TeliaSonera has taken measures to further define and assess the risks relating to bribery and corruption in the Eurasia region. The corporation is furthermore careful to position itself as a social actor in the aftermath of the Uzbek affair, but these concerns are simultaneously bound up with issues of 'confidence capital' and profitability. In these instances, it appears that TeliaSonera's standard-setting process emphasises the interests of the corporation, rather than the interests of the community at large (cf. [27]: 11).

Monitoring
When facing high levels of public scrutiny in the aftermath of the Uzbek affair, TeliaSonera acknowledged their unethical behaviour and offered the following explanation: Overall, the internal information and control at different levels (owners, directors, management and line management) was not sufficient to pick up warning signs that there were ethical risks. In hindsight, it is evident that a more stringent investigation of the counterparties should have been conducted. One consequence of this was that subsequent investments were also not subjected to proper examination. [53] Here, the Uzbek affair is framed as the result of lacking information about the risks TeliaSonera face, which caused a case of corporate 'under-regulation' (cf. [22]: 69). This relates to the second stage within a risk regulation regime: monitoring, i.e. means of observing activities and gathering information in order to detect any irregularities or deviances ([24]: 23). Monitoring thus functions as a way of safeguarding the pursuit of pre-defined goals ( [32]: 452). Unsurprisingly, several new means of informationgathering have been developed within TeliaSonera in the aftermath of the Uzbek affair.
To monitor the risks the corporation face, two new regulatory units have been implemented during 2013, the year following the uncovering of the affair. Firstly, TeliaSonera has introduced the Governance, Risk, Ethics and Compliance (GREC) meetings, in order to monitor internal measures taken to minimiseamong otherssustainability-related risk. The meetings are based on information comprised in various internal risk assessments and risk reports ([56]: 56, 59-61). Secondly, TeliaSonera has developed the Sustainability and Ethics Committee (SEC), consisting solely of members from the Board of Directors. The committee collects information about, and seeks to monitor, all sustainability-related reporting, policy-making, and implementation processes throughout the corporation (ibid: 48). Taken together, these units illustrate a shift within TeliaSonera that occurred after the uncovering of the Uzbek affair, as they facilitate greater degrees of monitoring (and thereby controlling) the activities and behaviours within the corporation. However, TeliaSonera does not only rely on internal means of observing levels of compliance. Because of the Uzbek affair, TeliaSonera employed a national law firm with the task of reviewing all of the corporation's investments in Uzbekistan. The purpose of this review was to obtain an Bindependent investigation^of the allegations of criminal conduct ([50]: 12). Thereby, TeliaSonera receives an externalyet still privatereview that aids the corporation in monitoring its behaviour.
In 2014, TeliaSonera adds another new monitoring function to the list, as the corporation introduces the Speak-Up Line. It is a whistle-blowing function, and can thus be used to report (suspected) breaches of ethical and legal frameworks ( [59]: 59). The Speak-Up Line can be used by employees wishing to avoid regular reporting mechanisms (e.g. contacting their local manager), but it can also be used by members of the public. Thereby, the line offers Beverybody […] the opportunity to anonymously report any mistakes they see being made( [57], my italics). The fact that the Speak-Up Line is available not only for employees but for the general public illustrates how TeliaSonera invites the public to monitor their activities. Similar to the ways in which members of the public are able to report illegal behaviours on the street, they are now given the opportunity to report illegal and unethical behaviour within a corporation. The Speak-Up Line is therefore an example of how traditional mechanisms of monitoring social order have been extended into closed, private settings (cf. [10]: 517-518). Thus, by not only having internal means of monitoring but also allowing external agenciesboth private law firms and the general publicto observe corporate behaviour, TeliaSonera attempts to create Bwindows on society which bring the 'outside in'( [20]: 139). However, the monitoring conducted by the Governance, Risk, Ethics and Compliance Meetings, and the Sustainability and Ethics Committee, still occurs behind closed doors, and the results from private reviews and reports to the Speak-Up Line are owned by the corporation. These functions could therefore help TeliaSonera limit the possibility of negative publicity, and thus avoid larger financial and reputational repercussions, if non-compliance is discovered (cf. [1]: 61).
There are several examples of how TeliaSonera attempts to collect information about the present state of the corporation, and thus monitor Bwhat happens in pursuance of the goal^( [32]: 452). Following the Uzbek affair, TeliaSonera conducted a materiality review, in which a set of sustainability-related risks were identified. Subsequently, these risks were validated by the corporation's stakeholders, which allowed for benchmarking of the corporation's work ( [56]: 70). Furthermore, TeliaSonera began adding sustainability-related questions to their employee commitment survey, in order to gather information on how employees perceive the corporation's sustainability work (ibid: 71). Later on, in 2015, TeliaSonera constructed the 'sustainability perception index', which contains stakeholders' perceptions of the corporation's sustainability work, thus allowing for statistical measurements of corporate performance. The corporation also constructed the 'responsible business index', which presents measurements of the employees' knowledge about TeliaSonera's ethical frameworks ( [59]: 69).
These means of collecting information on corporation performance, in relation to stakeholders' expectations and employees' perceptions, suggests that TeliaSonera actively attempts to monitor the corporation's pursuit to minimise sustainabilityrelated risk. Furthermore, the visibility of these reviews and indexes illustrate how means of monitoring can be used by the corporation to paint a desired picture of the corporation before the eyes of potential stakeholders. Thus, these regulatory practices may fall within a corporate 'front stage', as they represent a carefully prepared performance in front of the target audience (cf. [33]: 128).

Enforcement
The final component within a risk regulation regime is the enforcement component; the means Bby which power or influence is brought to bear on the system to change its state^( [34]: 22). This component pertains to corrective actions, aimed at modifying individual and organisational behaviour in the pursuit of the ideal state of the organisation ( [24]: 26). Within TeliaSonera, the practices that seek to modify behaviour fall on both sides of the regulatory spectrum, as they represent both coercive and persuasive strategies. Typically, coercive modes of regulation emphasises rules, reactive approaches, and punishment, whilst persuasive modes of regulation emphasises incentives, proactive approaches, and trust ( [19]: 247-248).
The most important persuasive strategies to secure compliance within TeliaSonera are the codes of conduct, which set Bthe boundaries on how the employees shall act( [49]: 40). Whilst the codes of conduct existed prior to the Uzbek affair, TeliaSonera put particular emphasis on developing complementing strategies aimed at preventing corruption and bribery in its aftermath. In 2013, the corporation implemented a policy and guiding principles on the subject of anti-corruption, as the corporation recognises the need to Bdo more to fight corruption and bribery^( [50]: 3). Thus, the risks TeliaSonera defined in the standard-setting stage after the Uzbek affair is here disaggregated into corporate practice.
The primary responsibility for enforcing Bcompliance with ethical and legal requirements^falls upon the Ethics and Compliance Office (ECO), which was established in 2013, thus shortly after the uncovering of the Uzbek affair ([49]: 6). The ECO focuses on sustainability-related risks and attempts to modify employee behaviour through different compliance-oriented strategies. The primary means for doing so is the implementation of specific ethics and compliance programs (ibid: 45), which in the aftermath of the Uzbek affair took the shape of an anti-bribery and corruption program. The program aims to implement the anti-corruption policy through a persuasive regulatory approach, in which employee behaviour is to be modified through classroom training sessions, internal learning platforms, e-mails, meetings and networks ([50]: 21).
To interpret these developments within TeliaSonera's regulatory regime, it is possible to explore how the notion of 'risk' affects organisational behaviour. Within a risk paradigm, concern falls on the prevention and calculation of future harm, and different means of maintaining security ( [19]: 245f). Therefore, modification and correction of behaviour ought to be characterised by a proactive rather than reactive regulatory mentality, thus suggesting that the behaviour of all actors involved in an organisation needs to be corrected before non-compliance occurs. This is illustrated by the persuasive regulatory approach employed by TeliaSonera, since behaviour and action is to be modified through standards, programs, training sessions, and so forth prior to potential breaches of ethical and legal frameworks. However, these persuasive, proactive means of modifying employee behaviour does not only illustrate that all employees are simultaneously perceived as being subjected to risk and constituting a risk, but also that they are responsible for managing risk. Thus, through such means of enforcement, Beveryone becomes a risk manager^( [1]: 62). This notion is especially interesting in the case of TeliaSonera, since it was three former executivesamong these, the former CEO and the former Vice Presidentthat were charged with allegations of committing bribery during TeliaSonera's establishment in Uzbekistan. Thus, parts of TeliaSonera's formal management are under investigation, yet the risk of committing bribery is here collectivised and framed as a responsibility for the entire corporationwhich may particularly affect employees further down the corporate hierarchy, through the development of training sessions and learning platforms.
The coercive regulatory strategies within TeliaSonera take the form of more traditional corrective actions. As described previously, both employees and external actors have the possibility of reporting suspicions about non-compliance with ethical and legal frameworks through TeliaSonera's Speak-Up Line. The case reports are later managed and if necessary, investigatedby the Special Investigations Office, a new regulatory unit that was introduced alongside the Speak-Up Line in the aftermath of the Uzbek affair ([59]: 59-60). When the investigations are closed and it is deemed necessary to take disciplinary action, the case reports are handed to the Ethics Forum. The forum was founded in 2014, and is an oversight committee headed by the CEO with the specific aim of managing corrective actions when allegations of non-compliance are substantiated ( [56]: 68). During 2015, the majority of the decisions taken by the Ethics Forum Bresulted in termination of employees but also warnings were issued in some cases^( [59]: 60). Thus, TeliaSonera has the ability to act as a private justice regime, as Bout-of-court settlements^appear to be an option for modifying organisational behaviour (contrasting public justice regimes, represented by state institutions and the use of criminal law) (see [35]:46). However, TeliaSonera does not attempt to correct instances of non-compliance all by itself. In 2014, the corporation had a case concerning potential fraud within the corporation. Given the nature of the case, the investigation Brequired public announcement^and was therefore handed over to a local prosecutor. With regard to the involved actors, TeliaSonera writes that these employees are Bno longer with the company^( [56]: 68). This notion therefore illustrates that whilst TeliaSonera is a private actor, the corporation has the ability of employing public institutions in the pursuit of their own interests. As such, the state is not neglectedwhich would have been impossible in the case of TeliaSonera, as the Swedish state is the principal shareholderbut still has the ability to exert some influence over operations that are primarily kept within closed, private settings (cf. [32]: 466-467).

A new regulatory regime
In the past three sections, it has been shown how TeliaSonera has transformed and extended their risk regulation regime in several ways in the years following the Uzbek affair. The norms informing the regime draw attention to the importance of TeliaSonera being a 'social actor', whilst simultaneously highlighting the need to increase the corporation's financial and reputational capitals. These norms affected the means of setting standards in the aftermath of the Uzbek affair, as TeliaSonera assigned particular emphasis to corruption and bribery in the process of selecting and assessing risk. Furthermore, the corporation has extended its means of internal monitoring, primarily by establishing a series of new regulatory units: the Governance, Risk, Ethics and Compliance Meetings; the Sustainability and Ethics Committee; and the Speak-Up Line. TeliaSonera furthermore expanded regulation by initiating an external review of the transactions in Uzbekistan, and by constructing indexes to monitor the state of its internal sustainability work. With regard to enforcing compliance, TeliaSonera seeks to modify behaviour through a set of persuasive regulatory strategies within the realm of anti-corruption and bribery. These strategies are the primary responsibility of the newly established Ethics and Compliance Office. In addition, TeliaSonera draws on coercive strategies to investigate and correct potential breaches of ethical and legal frameworks, through the newly founded Special Investigations Office and the Ethics Forum. In conclusion, there have been substantial transformations in the way TeliaSonera manages risk in the aftermath of the Uzbek affair, illustrated by the expansion and heightened complexity within all stages of the corporation's risk regulation regime.
In conclusion, TeliaSonera not only emphasised the areas of bribery and corruption in the aftermath of the Uzbek affair; it also organised a regulatory regime around them. However, whilst it might be expected that the regime was developed to minimise the risks of social harm that stem from bribery and corruption, there are aspects of the regime that do not primarily correspond with this objective. These aspects will be summarised and discussed in the following section.

Dual functions of corporate risk management
Firstly, in the analysis of TeliaSonera's norms regarding corruption and bribery, it became apparent that whilst the corporation emphasizes the importance of managing social responsibility, this concern was at times made relative to either the corporation's reputation or its profitability. Thereby, sustainability is constructed as means of achieving important corporate targets, rather than constituting the target itself, whilst reputational and monetary losses become constructed as risks. Furthermore, the way TeliaSonera positions itself as a 'good citizen' could be understood as a means of investing in reputational assets, since the corporate statements focused on TeliaSonera's position in 'risky' societies, rather than the actual impact the corporation has on these societies. Thus, on the path towards ensuring compliance with demands for social responsibility, TeliaSonera's emphasis falls on risks against the corporationreputational and financial riskand not on risks against the communities.
Secondly, in the analysis of TeliaSonera's components for monitoring and enforcement, it was shown that several new regulatory units have been developed in the years following the Uzbek affair. Whilst limitations in the material hinder insight into the units' actual operations, their mere existence and visibility illustrate how TeliaSonera has invested in an outward-facing and seemingly responsive regulatory regimethus supporting the management of reputational risk (cf. [20]: 135). This is also illustrated by the notion that the prevention of bribery is framed as a responsibility for the corporation as a whole, rather than primarily being a responsibility for the TeliaSonera management. Thereby, it can be suggested that (visible) regulatory expansion in itself is important, rather than regulatory expansion concerned with preventing the Uzbek affair from repeating itself.
Furthermore, by employing private law firms to review the investments in Eurasia and the subsequent allegations of bribery, TeliaSonera 'owns' the investigation and can thus decide whether or not the results ought to be made public. Similarly, the private investigations and corrective actions relating to the Speak-Up Line, the Special Investigations Office, and the Ethics Forum facilitates a degree of corporate discretion, as irregularities can be kept outside the public gaze, and cases of verified noncompliance can be corrected internally. The notion that corporations can 'own' their conflicts is not new, however this case illustrates how chances of negative publicity can be kept to a minimum since no external actors need to be involved in the process of monitoring and enforcement (cf. [35,36]).
The present study argues that these aspects do not primarily fulfil the objective of managing the social risks related to corruption and bribery; instead, they primarily fulfil the objective of managing the reputational and financial risks of these crimes. Thus, conceptually, a distinction can be made between primary and secondary risks, i.e. between the risks TeliaSonera is explicitly expected to manage (social harm), and the risks that relates to TeliaSonera's corporate position [1,2]. The aspects of TeliaSonera's regulatory regime summarised aboveand highlighted in greater detail throughout the analysiscould be interpreted as secondary risk management, as the corporation attempts to minimise the prospect of reputational and financial losses, which is materialised in the way TeliaSonera has transformed its internal environment of crime control. Thus, while TeliaSonera's new regulatory regime could be interpreted as an attempt to manage primary riskssuggesting that the function of minimising noncompliance with legal and ethical frameworks is to minimise the harmful impact of business conduct on societythe findings illustrate how its regime simultaneously is designed and employed to manage secondary risks.

Discussion and conclusions
This article has shown how TeliaSonera's risk regulation has transformed and expanded in the aftermath of allegations of crime. It has been suggested that the regime in place to manage social and ethical risks simultaneously manages reputational and profitabilityrelated risks, thus illustrating the dual functions of corporate risk management. The distinction between primary and secondary risk management should therefore not be understood as clear-cut, since primary risks can become translated into secondary risks (cf. [1]: 58). For TeliaSonera, this translation process was initiated and amplified when the corporation's failure to manage primary risks became publicly scrutinised in the light of the Uzbek affair. The core of the regulatory failure might therefore not be the failure itself, but rather the failure to maintain a legitimate corporate position in the eyes of its stakeholders (cf. [22]: 71). This finding echoes previous research on how corporate CSR can be used to neutralise the risks attached to corporate conduct and maintain the corporation's legitimacy [6,7,9,25]. However, this also suggests that secondary risk management dependsor even parasitizes onprimary risk management. If the latter did not exist at all, TeliaSonera's front stage performance would not gain the credibility and 'account-ability' the corporation needs in order to recover from the Uzbek affair.
The desire for legitimacy, which may be achieved through investments in CSR and corporate philanthropy, may be even greater for TeliaSonera with regard to its ownership structure. As previously mentioned, the Swedish state is the principal shareholder in TeliaSonera. As such, the Uzbek affair not only had the potential of harming the corporation's reputation, legitimacy and in the long run, profitability; but also of creating distrust against the Swedish state as a responsible owner. Thus, the legitimacy of the state itself was threatened, which becomes evident in the way its ownership in TeliaSonera was questioned in national media after the Uzbek affairs' unfolding (e.g. [37]). This obvious intertwining between 'public' and 'private' interests could have amplified the need of secondary risk management, as the state's legitimacy as a business ownerand as the overall provider of social welfareis at stake, alongside the legitimacy of the corporation itself (cf. [38]: 705).
Apart from being a means for corporations to position themselvesand in this particular case, the stateas legitimate actors, CSR is also a means for the state to govern corporations, by making them engage in self-regulation. As touched upon earlier in this article, the regulatory landscape is characterised by a dispersal of control as the state operates 'at a distance', by responsibilising actors and organisations to fulfil stateset targets and responsibilities ( [39]: 153). The Swedish state is a prime example of that. Along neoliberal lines of reasoning, the state has responsibilised all state-owned enterprises with the task of safeguarding human and environmental rights in the course of conducting business, through self-regulatory measures like constructing internal policies and strategies ( [40]: 22f). 4 Thus, corporations entering the regulatory landscape find themselves with a discretionary space, as the implementation of these responsibilities into their regulatory regimes is left in their own hands. Arguably, this suggests that the responsibilisation strategy allows for private interests in corporate risk regulation, since the state must govern with the interests of the corporations and through their freedom, in order for governance to be successful (see [41]: 81, 118). By making corporations new sites of regulatory control in the realm of social and environmental responsibility, it becomes possible for corporate interests to be included in the regulatory processwhich is here illustrated by TeliaSonera's management of secondary risks.
Given these findings, the case of TeliaSonera offers a suggestive example of how a non-state partakes in the task of controlling risks of harmful and illegal behaviourresponsibilities that are traditionally associated with the nation state (see e.g. [10]: 515) by engaging in self-regulation. Of particular interest is the way in which TeliaSonera's regulatory regime fulfils dual, often intertwining, functions, further illustrating the present diversity within the regulatory landscape with regard to the regulators' interests and objectives (cf. [32]: 468). The process in which primary risks become translated into secondary risks is understood as a trend towards 'the risk management of everything' ([2]: 58). By drawing on the case of TeliaSonera, this article suggests that the responsibilisation strategy amplifies this process, by contributing to the decentralisation of the regulatory landscape.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.