From
Risk Society to Audit Society (1)
Michael
Power
Zusammenfassung: Der Essay beschäftigt sich mit
den Implikationen der zu beobachtenden Zunahme des Auditing in
Großbritannien für Ulrich Becks Konzept der 'Reflexiven Modernisierung'.
Allgemein wird angenommen, daß die neue Form der Qualitätsprüfung
Prozesse reflexiven Lernens in Organisationen ermöglicht, so daß
eine Kompatibilität zwischen ökonomischen Kriterien und Regulierungszielen
herstellbar ist. In der praktischen Umsetzung funktioniert Auditing
als Teil einer Struktur der 'Kontrolle der Kontrolle', deren Möglichkeiten
ambivalenter sind, als das Modell suggeriert. Trotzdem wird Auditing
aufgrund ökonomischer Motive und Gründen der Informationsverarbeitung
zu einem dominierenden Regulierungsstil. Die diskutierten Beispiele
des Auditing im Gesundheitssystem, des Umwelt-Audits und des Derivatenmanagements
legen nahe, daß Auditing sich stärker auf Prozesse des Managementsystems
als auf das substantielle Operieren einer Organisation konzentriert.
Diese Erkenntnis widerspricht der allgemeinen Erwartung an die
Form der Selbstregulierung und hat unabsehbare Nebeneffekt. Die
allgemein herausgestellten reflexiven Potentiale des Auditing
sind zumindest noch nicht sichtbar, so daß das Aufkommen der Auditing-Gesellschaft
eher mit Becks Konzept der 'organisierten Unverantwortlichkeit'
beschreibbar ist.
I
There is a growing intellectual recognition of the need to design
governance mechanisms which, in various ways, enlist the resources
of the regulatee. There has been much talk of 'governmentality'
(Rose/Miller 1992), 'mutual regulation'
(Simmons/Wynne 1994),
'self-organization' (Luhmann
1988; Luhmann 1991;
Teubner/Farmer/Murphy
1994) and 'responsive regulation' (Ayres/Braithwaite
1992). It is as if a certain kind of socio-legal scepticism
about the implementation 'deficit' of classical regulatory goals
is giving way to more upbeat assessments about the internalization
of compliance cultures within organizations. Concepts of local
empowerment have become fashionable and 'regulatory networks'
which draw from the cognitive and financial resources of the regulatee
have become an object of interest in many different domains. Overall,
the softer language of 'compliance readiness' is replacing that
of command and control. These shifts in theoretical attention
also reflect institutional change: methods of governance in a
wide variety of areas are turning to voluntaristic and market
based forms of control. Capitalism has become 'disorganized' and
'out of control' as reflexive and locally flexible control and
information structures have developed (Lash/Urry
1994, chapter 4; Kelly 1994).
It is clearly an overstatement to imply that modern states have
always, until recently, attempted to control 'from above': informal
methods of indirect influencing and state involvement in markets
(Kettl 1993) have always existed.
But there seems to be such a conspicuous and systematic change
of regulatory mood in recent years that it no longer makes sense
to juxtapose regulation by self and regulation by others. This
is not just a tired theoretical opposition; regulatory authorities
with forms of stability and control as politically necessary objectives
are recognising their limited economic and cognitive resources.
Mechanisms are being explored by which desired behaviours can
be stimulated, largely by attempting to internalise imperatives
which were previously externally imposed. For example, there is
an emergent interest in 'reflexive' forms of law predicated on
the need to understand how decisions are made (Teubner
1993; Farmer/Teubner 1994;
Orts 1995). This transformation
in control philosophy has created a demand for ways of making
organizational fields internally and externally visible for decision
making purposes. More precisely, new information structures are
required in order to challenge and shift the boundaries between
insiders and outsiders and to reconnect decision makers with their
remote publics. This connection is effected via systems of layered
influences, chains of control practices in which each 'link' controls
the next. In short, an explicit regulatory style is emerging which
can be characterised by the idea of 'control of control'.
Against the background of these broad regulatory developments,
this essay explores explore the recent growth of auditing as a
form of 'control of control' (Power
1994a) and analyses it in relation to a number of the issues
raised by Beck (1992b). Ulrich
Beck's concept of 'reflexive modernization', and his suggestion
that 'classical instruments of political direction' (Beck
1992a, 107) are being displaced by systems of knowledge which
are open and self-monitoring, are consistent with the emerging
regulatory style described above. This theme of self-monitoring
is common to many writers and in practice audit represents a distinctive
style of risk management which is growing in many different areas.
Even forms of incentive based controls through legal liability
and insurance mechanisms employ audit processes; in this way audit
has become fundamental to a new regulatory mood which delegates
and supervises. Auditing is not a glamorous subject, either for
its practitioners or indeed for its theorists. However, it is
because of this lowly and merely technical self-image that
it has, almost unnoticed, come to be such a key regulatory resource
and has extended its reach into many different areas of social
life. Audit practices also seem to offer a potential for anchoring
Beck's concept of 'reflexive modernization'. For example, the
concept of 'reflexivity' could be defined in terms of 'self-audit'
i.e. as a practice of second-order observation of organizational
operations. However, this essay argues that the programme of effective
'control of control', in which internal systems can be linked
to distant regulators via auditing, is more ambivalent than the
hopes that have been invested in it. The reflexive potential of
a risk society in Beck's sense may be delayed by, and decay into,
an 'audit society' (Power 1994b)
and varieties of 'organized irresponsibility' (Beck
1992a, 103).
II
According to Beck, a paradigm shift in the understanding of risk
is needed: a shift from the problem of knowing risk to the problem
of the risks inherent in ways of knowing. This is his most striking
theme: risks originate in the social organization of knowledge
and norms rather than in nature itself. There is of course widespread
recognition that many risks are the product of industrial modernization
and he is not alone or recent in making this claim. But Beck also
argues that this has reached a point where the economy is becoming
increasingly 'self-reflective' in its operation and new strategies
of risk definition have emerged in new locations: "This means
that the calculation of risk as it has been established so far
by science and legal institutions collapses" (Beck
1992b, 22) Calculative practices which used to be oriented
towards external, environmental 'dangers', such as shipping insurance,
are now reorienting reflexively around the self-production of
risk.
Luhmann seems to make a similar point when he argues that risk,
as opposed to danger, implies a form of management oriented towards
decision making potential: "More and more states -
whether existing or aspired to - are seen as being consequent
to decisions i.e are attributed to decisions" (1991,
46) rather than to nature. Or, as Beck puts it, latent side effects
which have been experienced as natural fate are being newly attributed
and where this occurs a sense of the need to manage risk
arises.
Elements of Beck's diagnosis might culminate in a rather gloomy
assessment of the prospects for change. However, he is guardedly
optimistic about the immanent and 'reflexive potential' which
is (will be?) realised in the recognition of self-produced risk.
For example, the cultural authority of scientific experts is being
undermined since their expert knowledge is implicated in the production
of risk in the first place: "There is no expert on risk"
and the concept of 'acceptability' is no longer the province solely
of experts; risk analysis is a "polygamous marriage with
business, politics and ethics (...)" (Beck
1992b, 29).
Drawing from the fragility of scientific authority made evident
in science policy studies, Beck argues that an essential tension,
an adversarial dialectic of expertise and counter expertise, is
constitutive of an emergent politics of risk definition. This
politics is intensified by a confidence in abandoning scientific
arguments about causality ('much will not be able to be corroborated').
A new spectrum of liable parties, in which responsibility no longer
follows causality, has been made possible. Previously, the law
was such that no-one could be blamed and no-one was therefore
responsible (Beck 1995). According
to Beck, the monopoly of rationality enjoyed by scientific hazard
definition, and the division of the world into experts and non-experts
has been shattered and contested. However, the abandonment of
causal authority also provides opportunities for competing definitions
of what it is to manage risk.
As Beck notes, fighting self-produced risks has become a flourishing
industry itself and new instruments of definitional risk-management
are being developed. This has given rise to antagonisms between
risk-definers and consumers, definitional struggles which oscillate
between revealing and concealing risk. These are struggles not
just about methods but also about who is affected and a complex
victimology is emerging from these debates. Beck also points to
new markets, driven by demands for the avoidance of risk, in which
risk production may be normalised (e.g. by tradeable pollution
permits). This is what he describes as a 'cosmetics of risk',
a symbolic industry of risk management. For example, the notion
of an 'acceptable level' of pollution fulfils only the function
of a symbolic detoxification; in the process society has become
a laboratory. And Beck alludes to a certain 'remanagerialization
of risk' which embodies a distinctive logic: the "institutionalized
non-management of problems" (Beck
1992a, 105) in which "security strategies are a side
show" (Luhmann 1991,
29).
Although Beck anticipates some of the dangers of the 'remanagerialization'
of risk, these concerns are balanced by his 'immanentist' optimism
about a new democratic potential: 'poverty is hierarchic but smog
is democratic'. In other words, distinctive potentialities inhere
in the eventual identity of perpetrators and victims and Beck
(1995) argues that big industry
is its own best opponent. These claims, with their typical aphoristic
density, have an ontological flavour: risks are the 'stowaways
of normal consumption'. For Beck, such objective commonalities
have not yet been fully politically activated and, a little like
Habermas perhaps, he posits the ideal of an emergent political
subject. Hence, the concept of 'reflexive modernization' is intended
to express trends in which existing monopolies of knowledge and
politics are breaking down and being replayed into themselves.
In the 'demonopolization' of science, science actually becomes
more necessary even though it is also less self-sufficient for
socially binding definitions of truth: wider publics may be active
co-producers of truth about risk. In this way the internal culture
of scepticism (conjecture and refutation) of science, which was
paradoxically coupled to claims to certainty in external markets,
is being turned inside out. According to Beck, public uncertainty
will turn afresh to reflexive science.
Another dimension of the 'reflexive modernisation' concept is
that the distinction between the calculable and the incalculable
also changes. Beck seems to be pushing for a concept of practical
solvability which is not compromised by expert prevarication about
the immeasurability of side effects. The abandonment of strict
causality corresponds to a repositioning of expert authority:
risk calculation emerges not as controllability but as estimateability
in such a way that secondary effects are robbed of their latency.
Reflexive modernization means the recognition of the self-origination
of threats such that side effects can be reconnected to their
contexts of production. Beck recognises that the collective learning
which such a process of reconnection represents is threatened
by a 'secondary industrialization of consequences and symptoms
which tends to expand markets.' In other words, the sources of
danger are not ignorance (of nature) but structures of institutionalized
knowledge. In short, ways of knowing are ways of being ignorant.
Emergent forms of environmental accounting provide a good illustration
of both this potential and danger. Where 'green disclosures' are
appended to traditional representations of corporate performance
in annual reports, the self-production of risk remains publicly
invisible. Only where external effects can be reinternalized can
the 'invisible be made culturally discernable' (Beck
1992a, 118) and new forms of responsibility can crystallise
around new accountings for side effects (Power
1994c). Although calculability and the attribution of side
effects has always posed problems for credible environmental accounting,
Beck seems to be suggesting that the principle of reinternalization
is more significant than causal accuracy. Exact calculation may
be less important than shifting the institutionalized boundaries
of the reporting entity and thereby shifting the onus of proof
and responsibility.
According to Beck, the seeds for reflexive modernization are
to be found in an emergent sub-politics of, for example, flexible
specialization where new information networks for organizations
are replacing the fictional model of central steering. These transformations
in organizational life embody the essential potential for activating
responsibility for self-produced side effects, ideas which connect
Beck's claims to the wider concerns with rethinking regulation
mentioned above. Reflexive modernization implies that effective
regulation demands a certain kind of self-regulation which
internalizes responsibility for externalized side effects.
Having taken some of Beck's ideas as a point of departure, they
are not without problems. In addition to his methodological elusiveness
(Nowotny 1992), his 'high hopes
may look more like deep illusions' (Bauman
1992) and he is ultimately exposed to the charge of too idealistic
a belief in the potential for a new political subject. This weakness
corresponds to an underestimation of the power of corporate capital.
As one commentator has remarked, 'Most of the institutional changes
which Beck describes...may..be effects of the pervasive intervention
of markets into hitherto unpenetrated or resistant spheres.' (Rustin
1994, 11). Furthermore, it is far from clear that flexibilization
and other such developments are leading to a de-monopolization
of forms of knowledge, rather than a reinforcing of particular
interests. His argument is perhaps overdetermined by the experience
and hopes of the German greens (Rustin
1994, 10) and, rather like Habermas, Beck overattends to science
and fails to recognise the manner in which other disciplines,
such as accounting, have begun to replace the cultural authority
of science (Power 1994d).
For example, Beck's (1992a,
119) democratic enthusiasm for the interdisciplinarity of experts
and dissenting voices underestimates the role of controlling disciplines
in managing interdisciplinarity (Power forthcoming). In this way
'risk prevention is forged into the tired (and now suspect) crisis
management and problem solving..' (Bauman
1992). Ultimately Beck poses the issues of reflexive modernization
at the level of changed individual identities; where his thesis
might have made a significant contribution to the idea of changed
collective subjects, the preconditions of a 'new' corporate subject
(Teubner 1994), he is frustratingly
silent.
Beck poses, in popular form, questions which Luhmann has formalized
in terms of the self-referentiality of social systems and their
second order self-observations. Reflexive observation takes as
its object the risks which lie within the very structures of observation
which determine the sensitivity of social systems to their latent
effects. In very different ways both Beck and Luhmann are concerned
with the risks immanent in knowledge structures: Luhmann's imperative
of maximising 'systems resonance' can be made to look like a project
of making knowledge reflexive. But perhaps both Luhmann and Beck
systematically understate the tendencies by which such new forms
of knowledge become institutionalized and new categories of expert
emerge. The question of 'systems resonance' towards ecological
risk in Luhmann's sense is a function of expert knowledge whose
institutional embodiment determines the extent to which it is
fully reflexive in Beck's sense.
If the paradigm shift to a form of rationality with responsibility
for self-produced risk at its centre is really to occur, accounting
and audit practices, as primary mechanisms by which corporate
activities are presently made officially visible, will also need
to change. It is well known that accounting is a filter for variable
forms of uncertainty in the environment of organizational decision
making. Accounting as a technology for managing uncertainty translates
the spontaneous disturbances of daily transactions into manageable
data for decision making purposes. But in the mode of second-order
observation of accounting operations, it has also been recognised
that, prior to the use of accounting for decision making purposes,
there are 'callibrational' decisions about the distinctions or
categories with which accounting is to function (Hines
1988). It is at this level that the risk of knowledge, rather
than knowledge of risk, resides. And it is also here that, audit
as a practice which monitors and reports on accounts is a test
case for the reflexive potential that Beck and others describe.
III
At first glance, audit practice seems to coincide broadly with
theoretical ideals of reflexive self-observation. Audits make
practices transparent to insiders, enable third party scrutiny
and thereby enhance internal and external accountability. Audit
facilitates a legitimate 'right to know' (Gunningham/Prest
1993, 523) and challenges the 'natural' authority of the practices
by demanding new accounts of performance.(2)
At the same time audits are conceived as 'light' regulatory
devices which monitor individuals and organizations but which
also leave them alone and which presuppose the autonomy of the
auditee. The basic idea and hope is that the auditee, subject
to the gaze of the regulatory body, is stimulated to engage in
further processes of self-audit through which practices
and procedures are constantly improved relative to benchmark standards
of performance. In this manner external audit arrangements
demand an internal reflexive self-auditing process, a certain
kind of critical self-observation which forces standards of behaviour
from below (Simmons/Wynne
1994).
This blueprint for audit practice coincides with ideals of sub-contracted
regulation: it provides distant regulators with a mechanism of
control which engages with and shapes decision processes inside
the regulatee. The audit communicates to the regulator in various
ways, the simplest being a form of certification of compliance.
In this way auditors are a form of 'entrepreneurial gatekeeper'
(Kraakman 1986), to whom rights
of inspection have been delegated and for which they provide some
form of attestation or certification of the regulated entity.
The regulator's dream is fulfilled: audit maintains the residues
of central oversight while functioning as the basis for auditee
self-reflection and improvement. Moreover audits are cheap since
the auditee pays; audits are located at the bottom of an 'enforcement
pyramid' which can escalate upwards into more punitive forms of
regulation (Gunningham/Prest
1993, 522).(3) In
short, auditing reconciles compliance needs and organizational
learning.
This ideal image of what auditing can achieve has fuelled an
'audit explosion' (Power 1994a;
Power 1997) in many different
fields. Audits have become central to the legitimation of a wide
range of entities and groups. From the governance structures of
private sector corporations to charities to psychotherapeutic
practitioners, audit has become an important symbol of acceptability,
indicative of ideals of transparency, accountability and managerial
willingness to learn. To be audited or to say one is doing an
audit is to claim institutional credibility for what one does.
However, for all the ideological momentum that auditing has acquired,
it remains an ambivalent practice and it is unclear what it produces.
Indeed, the success story of auditing has much to do with this
ambivalence and its ability to produce symbols of comfort for
anxious rulers (Pentland 1993).
At the extreme, instead of facilitating reflexivity and learning,
audit is a form of elaborate organizational self-presentation,
rich in the images of risk management and assurance which are
demanded by a 'politics of fear' (Bauman
1992). The central question is whether it is a substantive
or merely formal control practice.
The 'audit explosion' represents a distinctive shift in regulatory
style which reformulates, rather than abandons, an older style
of hierarchical control. Auditing can be characterized as a form
of 'control of control' operating at the interface between regulatory
and management systems of control. The idea is that control is
now exercised in chains (or layers, depending on the guiding metaphor)
with each link (layer) in the chain primarily controlling its
neighbour by stimulating forms of self organization and control
(See figure 1).
Figure 1. Control of Control
It is through this chain that the regulator, ultimately the state,
and the regulated are linked in a form of 'mutual' regulation.
The former enlists the competence of the latter by delegating
control along the chain and, in return, is provided with appropriate
signals of regulatory compliance. The latter derives legitimacy
and market power from state endorsement of competence and is disturbed
by audit processes into developing systems of control which, through
both internal and external audit processes, can be self-observing.
Auditing provides the crucial link in this chain of control, mediating
both state and organizational objectives; it faces both ways at
once.
Applied to figure 1 the idea of control of control means that
the state controls and certifies the external audit process while
maintaining its own inspectorial capacity. External audit concerns
itself primarily with organizational systems of control, particularly
the internal audit function itself. In turn, the internal audit
function, which is a 'higher' element of the management system,
observes and reports primarily on the operation of that system
rather than on the organization activities directly. Finally,
the management system of control itself observes the first order
activities of the organization itself, made visible to the control
system by some form of accounting for performance. The idea of
'control of control' means that auditing processes are more indirect
than is commonly imagined; they seek to observe and stimulate
the development of control systems and they verify systems' structure
and operations. This is effectively the 'observation of arrangements
for self-observation' and the 'control of control' structure is
implicit in regulatory initiatives in many different areas. The
hope is that such an approach will stimulate responsible self-observation
and learning by organizations. However, the control of control
ideal is often problematic in practice.
First, the form of certification which flows from left to right
in figure 1 is low in informational content and deliberately so.
What tends to be important is that an audit is done, not
what is done. This means that control of control does not
necessarily correspond to the openness and transparency that is
often claimed for it. Consequently, audits require that auditors
are trusted: if audits are to make the practices of auditees acceptable
and credible then the auditor must also be a legitimate actor.
Hence, the audit explosion has been accompanied by a wave of state
sponsored auditor-accreditation initiatives (Gunningham
1993). This has been most conspicuous in the environmental
auditing realm, but is also evident elsewhere. The state delegates
and certifies auditing competence.
Second, audits are not as neutral in their effects as the idea
of observation suggests. Audits 'make things auditable' (Power
1996) because they require individuals and organizations to
be made visible in a manner which conforms to the audit process.
This means that auditing actively stimulates the development of
systems and the related forms of accounting for performance which
make the control of control possible. Audit is not just a link
in the chain of control pictured above; it actually determines
the form of those links. This suggests a close relation between
organizational accounts and the forms of auditing which validate
them; audit presupposes a domain of auditable facts. In the case
of financial audit, these 'facts' have been around for many years
and get revealed in the production of financial accounting statements.
However, in the UK in the 1980s and 90s audits have functioned
for the first time in many organizations where very few formally
auditable facts existed. In these cases a control of control structure
like that in figure 1 needed to be created and the auditable facts
of performance had to be constructed by means of an accounting
and control system. Once this structure is in place, audit can
function as the control of control. For example, in the case of
health care, a control of control structure based on figure 1
can be constructed (see figure 2).
Figure 2. The Structure of Medical Auditing
These different links are becoming explicit, formal and distinct.
Historically, the self-observation of medical practitioners was
a private, local and ad hoc affair. In recent years in the UK
there has been considerable experimentation with forms of clinical
accounting and management control systems which would reveal the
'facts' of practice and which would thereby also make medicine
auditable. Most non-financial health practitioners understand
the concept of medical audit and its variants as this process
of accounting. In many instances it is like an internal data gathering
exercise in which doctors ask themselves how they can improve
clinical procedures. Much of the practitioner support for auditing
of this kind is really the local enthusiasm of those who wish
to improve practice and audit is the label they choose for this
enthusiasm. It is a basis for explicating and improving local
procedures, for building group trust and commitment and for providing
newly visible facts as a basis for intervention and improvement.
In its pure form it is reflexive in Beck's sense and there is
a potential for the recognition of self-produced risk in the form
of misdiagnosis and patient mismanagement.
Figure 2 suggests that these self-auditing practices make the
practice 'auditable' in another important sense: clinical accounting
makes the external evaluation of activities thinkable and possible.
The structure in figure 2 is still evolving in the medical context
and there is still very little systematic knowledge about the
effects of external audit on the first order practice or about
how local 'self-audits' to the left get coupled to broader programmes
for control, supervision and evaluation on the right (Power
1997, chapter 5). In medicine service purchasers have begun
to make self-auditing arrangements a contractual condition. Some
contracts even require that these local self-audits get externally
verified and certified by an auditor in a manner very similar
to general quality assurance initiatives, such as ISO 9000. Although
many medical practitioners are uneasy about these developments,
the control of control structure in figure 2 is becoming institutionalized
The third issue is that, in mediating regulatory bodies, service
purchasers and first order organizational activities (producers
and service providers), auditing provides a problematic conjunction
between different logics: service quality evaluation and cost-effectiveness.
Although it is not easy to provide any a priori judgement about
the effects of these disparate logics, two points are worth making.
First, a logic of effectiveness based on need and one based on
economy and efficiency may often point in different directions.
In order for audits to manage this potential conflict there must
be extensive investment in making these two logics compatible:
a cost effective and efficient health service must also be an
effective one; superior environmental performance must be made
compatible with cost savings for organizations and so on. In short,
audits must produce comfort and not conflict. They do this by
tending to concentrate on systems values, the next link in the
chain of control rather on than first order activities. In short
quality is a function of systems rather than the activities which
these systems control.
Fourth, the right hand side of figure 1 suggests that state regulators
and other bodies are delegating regulatory arrangements and using
sub-contracted audit as a basis for maintaining oversight. This
is only a slight exaggeration; the rise of audit as the control
of control is a challenge to other inspection and assessment type
practices which typically attempt direct observation of first
order activities. Inspection is becoming more like audit and in
many fields it is the arrangements for self-inspection which are
being inspected. Forms of self-inspection or self-audit (internal
audit) are becoming standardised around a management system
which has two faces or surfaces. The inner face corresponds to
local needs for systematic knowledge and control; the outer face
makes evaluation and audit of the system possible. The outer face
provides a basis for certification of internal control systems
and is central to the structure of control of control. The management
system also provides a 'buffer' between the external auditor and
an evidential base grounded in the complex outputs of the audited
activity. In this way, external audit which certifies the operation
of the system is possible because it is not inspection,
because it does not look closely at specific service outputs but
only at the operations of the system. The certifying auditor does
not, like an inspector, require expert knowledge of the auditee
but only a more abstract and portable knowledge of systems (Power
1995).
If this is generally correct, many 'audits' cannot automatically
be identified with surveillance and the 'audit society' is not
simply a surveillance society (Dandeker
1990; Lyon 1994). Audits may
provide images and signs of surveillance but they do not in substance
do this; they are a control of control. They operate in the realm
of feasible oversight, are cheaper than inspection and
often generate symbols or badges of control which are in excess
of what they actually do. This is what financial auditors call
an 'expectations gap' between what the public and regulators demand
(e.g. that auditors detect fraud) and what auditors can really
do (review systems for weaknesses). Although financial auditors
complain about this expectations gap, they cannot really do without
it. Public misinterpretations of the symbols of comfort they provide
in audit reports is essential to their market success. The lesson
is that the control of control structure of regulation must remain
poorly understood because if we cannot know the risks we face,
we must nevertheless act as though we do (Douglas/Wildavsky
1982). A particular style of auditing has become institutionalised
as a mechanism for acting as if we know the risks we face,
for processing and controlling risk and for the production of
signs of control. Audits supply images of rational control in
a fragmented postmodern world which increasingly produces 'not
material objects, but signs' (Lash/Urry
1994, 15) or badges.(4)
Two areas where this style of control of control is particularly
evident are environmental auditing and the institutional responses
to the risks generated by trading in financial derivatives.
Environmental auditing
In the case of environmental auditing, much regulatory and industry
energy has been expended on trying to define what it is and who
should do it. These debates reflect competition in the field (Power
forthcoming). Whatever else can be said, environmental audit is
not inspection and this is one reason why the US Environmental
Protection Agency has been cautious in its endorsement of the
practice (Bregman/Jacobson
1994, 221). It is not a critical appraisal and reinternalization
of environmental impacts; it is conceived primarily as a 'management
tool' capable of sending appropriate signals to distant authorities.
Environmental audits are essentially a form of control of control
in the sense described above. The two prominent schemes which
have been developed in Europe are BS 7750 (incorporated into the
ISO 14000 series) and the European Union Eco-Management and Audit
Scheme (EMAS). Both are voluntary schemes. Although EMAS has more
developed reporting implications, both schemes emphasise the importance
of a management control system whose operations can be observed.
The primary role of the external verifier (EMAS) and certifier
(BS 7750) is to attest the proper functioning of the management
system, an attention to procedure rather to than the output of
the auditee (Simmons/Wynne 1992, 215). Figure 3 provides a schematic
overview.
Figure 3. Environmental Control of Control
Both schemes can be regarded in part as variants of a general
model of quality assurance in manufacturing systems. Quality,
environmental or otherwise, is not so much incorporated directly
into a product or service but into the process which produces
them (Brüggemeier 1994,
90). This shift makes possible a style of external auditing as
the certification of a quality assurance system rather
than of the products and services themselves. The systems emphasis
within environmental auditing has been criticised as misleading
and bureaucratic, particular by those who favour direct inspection
rather than chains of control of control.
Environmental auditing developed in the USA from forms of private
self-auditing with the aim of minimising potential liabilities.
Now the practice has begun to embrace forms of public disclosure
(Bregman/Jacobson 1994,
220) and the environmental audit 'quality' label is a form of
certification intended to enhance trust and confidence in the
product or service (Simmons/Wynne
1994). The control of control structure of environmental auditing
reflects a chain of certification which does not directly and
explicitly communicate information but signals it indirectly.
Because of this environmental audits have a problematic relation
to transparency. They produce a second-hand form of assurance
that someone, the auditor, has looked at the service or activity.
But this is not a kind of transparency which invites or could
stimulate wider discussion; environmental audits are not, and
are not intended to be, democratic practices; they may even make
auditees less transparent and more obscure to stakeholders (Simmons/Wynne,
1994). At worst the control of control structure insulates
the auditee from outside inquiry; it does not stimulate a "careful
balancing of arguments" (Royal
Society 1992, 166). From this point of view, the question
is whether environmental audits are in reality tools of pacification
rather than exemplars of 'reflexive modernization'. Much depends
on the role of the control of control structure in fulfilling
regulatory hopes by stimulating substantive organizational learning
and improvements with unequivocal environmental benefits.
Like Beck in his more optimistic moods, Ladeur (1994,
322-3) describes environmental audits in terms of their potential
to activate "new forms of self-observation" within a
"more flexible 'proceduralized' firm. (...)The main principle
of these environmental management systems should be the generation
of more risk information." In other words, a procedural
internal reorganization of the firm is a precondition of reflexive
regulation. The danger is that the re-managerialization of risk
through auditing schemes may drift towards values of certification
to please regulators and purchasers rather than toward new opportunities
for recognising and acting upon the self-production of risk. Such
a development may not offer the prospect of a paradigm shift,
a new consciousness of self imposed risk. Rather, there is a danger
that organizations look increasingly inwards at their structures
of risk management, and close off, often defensively, possibilities
for greater 'environmental resonance'. This is the main problem
with a regulatory style based on control of control.
Financial Derivatives and Risk Management
Risk is conventionally regarded as a measure of the dispersion
or variation in the economic returns to be expected on stocks
and shares. Diversification is a rational basis for managing and
minimising this risk, and this has been formalised in terms of
portfolio theory. This theory tells us that rational economic
agents who diversify are left only with undiversifiable or 'systematic'
risk. The latter is the risk of the market as such rather than
the specific share. These market risks appear impersonal relative
to individual decision makers; they can be regarded as the environment
of their risk calculations. However, even these risks can be 'managed'
by the use of derivative financial instruments, derivative because
their value is linked to underlying market variables such as the
price of a stock, a commodity, interest rates or even a market
index. Derivatives have therefore become essential to sophisticated
economic agents who wish to manage the risks they face. Financial
instruments with contingent characteristics (options) can be used
to offset these risks. These instruments can also be used to speculate
or bet on changes in the market variables.
The diversification of risk via financial management provides
a metaphor for the diversification of responsibility. Individual
traders, with the possible exception of the misleadingly titled
'hedge' funds, do not connect what they do with such seemingly
systematic phenomena as market volatility, which they experience
as external to themselves. In financial markets it is as Beck
(1992b) has put it: everyone
is cause and effect and thus non-cause and therefore not responsible.
However, financial regulatory authorities have a political responsibility
for market stability regardless of their actual capability for
control. In the 1990s, these authorities have been reacting to
the implications of derivatives. In the wake of the recent demise
of Metallgesellschaft, Orange County in the USA and Barings Bank
there is a conspicuous popular demonology of derivatives: these
instruments have been described as an economic 'contagion.'(5)
Regulatory anxiety is highest in the case of what has come
to be called 'systemic risk'. This is the risk that the whole
financial system could be affected 'domino-style' by the failure
of a single large counterparty. Individual traders in derivatives
principally face two types of risk: market risk that the market
variables which define the derivative instrument (e.g. exchange
rates, interest rates) may move unfavourably and counterparty
risk where, even where the market moves favourably for one party,
it has moved sufficiently for the counterparty to be unable or
unwilling to pay. The worst case scenario is a system meltdown
triggered by counterparty failure and its knock-on effect to compensation
and insurance mechanisms.
In the field of derivatives trading, an emerging pattern of control
of control is clearly evident. Regulators are engaged in what
Luhmann would describe as 'second order observation' i.e. the
observation of the manner in which risk calculations are made,
of the risk of the 'market risk' calculations by derivatives market
traders. Regulatory response is still evolving but conspicuous
among the array of tools is the demand for improved 'management
systems' for derivatives trading which embody purpose built risk
models.(6)
A form of 'derivative risk' auditing has begun to emerge
which reports on the effectiveness of the risk management system
in alerting management to any potential risk rather than directly
on the nature of the specific exposures a firm may face. Such
a system is very similar in structure to the environmental management
systems of BS 7750 and EMAS: there must be a policy, monitoring
of compliance with the policy and independent review and audit
(Touche Ross, 1994). Once again,
figure 1 can be adapted to the case of derivatives management.
Figure 4. Control of control for derivatives trading
As in the cases of medical and environmental auditing, the structure
of figure 4 is still developing, but its attraction as a regulatory
approach in this context is clear. The intention is that financial
organizations are made aware of the self-production of risk to
themselves. Self-auditing through 'stress tests' and other forms
of systematic knowledge of risk exposure simultaneously control
the risk that would be exported to the system as a whole if the
organization failed to fulfil its obligations as a counterparty.
Auditing is particularly attractive in this context because regulators
lack extensive inspection capacity both in terms of knowledge
and financial resources. But, importantly, it also provides the
system with images of self-control. Auditing makes regulation
in this most difficult technical area look possible and, above
all, manageable by providing the link between the aspirations
of distant regulators and those of profit oriented traders. Financial
organizations are coming to accept the merits of risk management
systems and the need for structured and timely self-observation
as a condition of their survival.
IV
Social theorists, like Ulrich Beck, have identified a number
of tendencies within late twentieth century societies. While much
has been written about the essential centrifugal and fragmenting
forces which operate, relatively little has been written about
the growth of compensating structures which seek, in some broad
sense, to 'hold things together'. Auditing in North America and
the UK fulfils a complex mixture of functions; it is simultaneously
a form of a confessional, a method of policing, a stimulus to
learning and a public relations exercise. It attempts to offset
the decline of a central control capability by the internalization
of compliance and control. In this broad sense, audit has become
a substitute for law.
At the centre of the audit process is the management system which
is conceived as an opportunity both for organizational learning
and for compliance with desirable social ends. The idea and practice
of a management system internalized by a regulatee is an important
regulatory resource. Such a system makes audit feasible both economically
and epistemically. In Beck's terms, the 'fissures and gaps' between
social and scientific rationality are patched over in the management
system and its 'promise of security'. Inspection of outputs might
be too costly and may produce awkward conclusions; it also requires
the inspector to know something about what is being inspected.
The management system provides a surface which makes a certain
kind of certification based audit possible; it is a buffer between
the auditor and what the organization really does. And the auditor
does not want to stray beyond her brief, beyond the comfortable
world of the management system and the production of comfort.
Audit is a style of regulatory response which restores the mission
of regulation; it produces politically important signs of control
and of compliance. As part of a chain of 'control of control'
auditing provides comfort that the next link in this chain, a
control system, is functioning according to its blueprint.
The cases of medical, environmental and derivatives auditing
suggest how the internal creation of a management system has become
a particular style of risk management. The ambivalence of what
audits produce and their lower cost (relative to inspection) is
their attraction both to regulators and to auditors since the
chain of 'control of control' fragments responsibility. When things
go wrong on the right of figure 1 above, such as a financial or
environmental scandal, who can be blamed? The question is difficult
to answer and financial auditors claim that they are often wrongly
accused. The regulatory style which auditing represents cannot
unproblematically be regarded as evidence of 'reflexive modernization'
in which the self-production of risk is both internalized and
opened out to dissenting groups. Audits are generally private
affairs and local self-auditing rarely gives rise to greater transparency
and participation. Furthermore, auditing is not merely a neutral
monitoring device in a chain of control but acts on the next link
in the chain to make itself possible. The effects of this kind
of auditing remain poorly understood.
In the end environmental 'resonance' in Luhmann's terms may tell
us less about the dangers we 'really' face and more about the
'risk experts' and their practices who become trusted (Douglas/Wildavsky
1982). This is long way from the provision of forms of information,
either internally or externally, which could generate new conceptions
of responsibility, a new self-observation of the self-production
of risk. But is there nothing to be salvaged from auditing which
suggests the emerging transformations described by Beck? Could
auditing actually be a vehicle for a reflexive modernity? The
question is whether, for all the problems described above, the
control of control structure in all its different forms may nevertheless
create the kinds of "social entanglements or commitments"
and "regularized forms of openness" (Selznick
1994, 397) which make organizations more sensitive and porous
to their environments. Much will depend on whether regulators
can stimulate audits which really do mediate between general principles
of control and accountability which have a populist basis, and
internal procedures capable of uniting technical and moral competence.
This is ultimately an empirical question and in this essay I have
attempted to temper some of the unguarded optimism and enthusiasm
which has accompanied the 'audit explosion.' It should also be
remembered that Beck is correct to suggest that the 'institutionalized
non-management of problems' is only one more disaster away from
abandoning its commitment to the production of comfort.
