Mediating figures: risk mapping in inter-organizational project control
Paper submitted to the IPA conference, Cardiff, 2012
Abstract
In this paper, we analyze the relationship between management control and risk
management by investigating the use of risk maps in an inter-organizational project
collaboration in the Norwegian petroleum industry. The various ways in which risk
maps are drawn upon in the course of the studied project reveal sources of
perceived ‘usefulness’ that are not primarily to do with increased attention towards
early warning signals or the defensive production of audit trails, as suggested by
previous research. Rather, the ethnographic study shows that risk maps act as
mediating instruments which allow distributed actors to associate with ‘the project’
and its progress over time. Several characteristics of risk maps are linked to their
use as mediating instruments, such as figurative, diagrammatic outlook,
commensuration, ambiguous prospective and evaluative connotation and flexible
zones of (ab)normality. Drawing on social studies of science and technology as well
as on the ‘Montreal school’ of organizational communication, the paper extends and
complements existing explanations of the pervasiveness of enterprise risk
management technology.
Keywords: mediating figures, risk representation, risk map, inter-organizational
control, enterprise risk management
Introduction
Risk management technologies have recently gained increasing significance as
internal control technologies and prime objects of corporate governance regimes
(Arena et al., 2010; Mikes, 2009; 2011; Power, 2004, 2007; Power et al., 2009;
Woods, 2009). Power (2004, 2007) has identified a risk management ‘explosion’
since the mid 1990s in which ever more events and things have been seen and
described as organizational ‘risk objects’. Discursive events such as the Brent Spar
controversy in 1995 and diverse corporate scandals as well as ensuing corporate
governance regulations enhanced the discourse of enterprise risk management
(ERM) in terms of a shared understanding that being a ‘good’ organization is
synonymous with having a broad and formal risk management program (Miller et
1
al., 2008; Power, 2004). Characteristics of such ‘holistic risk management’
programs (Mikes, 2009) are the linkage between risk management and strategic
objectives, the inclusion of risks that are hard to quantify such as operational and
reputational risks, and an emphasis on internal control systems which proceduralize
and normalize risks. According to Power (2004, 2007, 2009), this development is
potentially problematic since organizations might focus their attention on
‘secondary risk’ management, that is on the production of risk representations and
documentation that guard organizations from external critique and manage their
reputation, and in that it may reinforce a culture of blame avoidance and
defensiveness where it becomes ‘risky’ for practitioners to exert judgment, respond
to early warning signals and admit mistakes. As such, current risk management
discourses arguably work against the creation of what High Reliability scholars
have called ‘disruptive intelligence’ (Turner and Pigeon, 1997) and ‘mindful
organizing’ (Weick, 1987, Weick et al., 1999; Weick and Sutcliffe, 2001), features
of organizing that allow for flexible revision of assumptions in the face of
unexpected events (Power, 2007).
Currently, only few studies have investigated how and with what effects the
prevalent ERM discourse is actually translated in concrete organizational practices
(Arena et al., 2010; Mikes, 2009, 2011). In particular, there is a lack of detailed
accounts as to how particular risk management technologies are organizationally
enacted (Orlikowsi, 2000) and to which extent their use enhances organizational
mindfulness towards primary risks and a secondary risk management logic of
preoccupation with legitimacy, auditability and defensiveness. So far, analyses of
the translation of ERM into practice have focused on the extent to which ERM
practices are tightly or loosely coupled to operational decision-making,
investigating under which circumstances the ERM agenda becomes central to
managerial decision making or appears to occupy a purely ritualistic role of
impression management (Arena et al., 2010; Mikes, 2009, Power et al., 2009). Less
emphasis has been placed on how particular risk representation technologies are
actually handled in practice and for what kind of purposes they are drawn upon. The
construction and circulation of risk maps and associated risk registers, for instance,
might affect organizational members and their collaboration in more or less subtle
ways, even if managers do not explicitly see these devices as most relevant tools for
paying attention to potential threats and dealing with perceived ‘risks’.
2
This paper seeks to contribute to our understanding of risk management practices
by investigating the performance of risk maps as prominent ERM technologies
(Mikes, 2009; Power, 2007; Woods, 2009). This is done by analyzing the ways risk
maps are deployed in the course of a technological upgrading project in the
Norwegian petroleum industry in which this tool emerged as one of the most
prevalent representational technologies.
Furthermore, in contrast to prior studies, our ethnography is situated in an interorganizational context. Inter-organizational collaboration often involves particular
problems of coordination, control, legitimacy and understanding (Bourrier, 2005;
Vlaar et al., 2006) which make the use of joint representation devices both relevant
and potentially problematic. We thus analyze how risk maps are set up and for what
kind of uses they are enrolled during the inter-organizational project collaboration.
Drawing upon a sociology of science and technology perspective (Callon, 1986;
Latour, 1987; 2005) and the Montreal school of organizational communication
(Cooren, 2004; Cooren et al., 2011; Taylor 2011; Taylor and Cooren, 1997), we
examine risk maps as they are performed in an inter-organizational project and we
relate the particular observed uses to technical-semantic characteristics or
‘affordances’ (Gibson, 1979; Kaplan, 2011) of risk maps and the regulative and
organizational context in which these practices are situated.
In line with Power (2007), we observe that risk maps tend to develop a life of their
own and are implicated in the production of reassurance rather than caution. Project
members are critical of such normalizing and reductionist effects of risk maps.
Actors’ attitudes towards risk maps are ambiguous, however, in that they
characterize them as problematic at the same time as they regard them as valuable
tools for inter-organizational coordination and draw upon them frequently in their
interactions. The various ways in which the maps are drawn upon in the course of
the project reveal sources of perceived ‘usefulness’ that are not primarily to do with
increased attention towards early warning signals or the defensive production of
audit trails, but rather with the creation of commitment and the mediation of
distributed actors’ activities in an inter-organizational setting, allowing the project
to ‘progress’. Several characteristics of risk maps such as figurative, diagrammatic
outlook, commensuration, ambiguous prospective and evaluative connotation and
flexible zones of (ab)normality can be associated with the observed enactment of
risk maps in this context. These characteristics do allow risk maps to act as
3
mediators between distributed project actors, linking ‘non-local’ ERM ideals with
‘local’ aspirations and imperatives of practitioners (Kurunmäki & Miller, 2011)
such as achieving ‘synergy’ and ‘alignment’ in project coordination and control.
Describing how risk maps are put to use and performed, the paper illustrates how
the government of risk is related to mediating instruments and how such mediation
happens in the interplay between texts and conversations.
The paper is structured as follows. First, we review extant research on risk
management practices and their theorizing on how risk representation technologies
are linked to their social and organizational context. We then introduce our
theoretical and methodological approach before describing the study setting.
Subsequently, we move to characteristics of risk maps and analyze their use in our
inter-organizational case. The empirical findings are then discussed in the light of
existing literature and we conclude by outlining areas for further investigation.
Risk management discourse and practice: the role of risk representation
technologies
Social and cultural theories regard risk as a socially constructed category (Beck,
1992; Douglas, 1985; 1992; Giddens, 1991; Weick, 1987; for an overview, Gephart
et al., 2009 and Lupton, 1999). With regard to organizations, Miller et al. (2008)
conceive of risks as those phenomena that are conceptualized and managed as risks
within companies. Likewise, Power (2007) advances an understanding of risk as a
conceptual ‘object’ within institutional space: as the product of social,
organizational and managerial processes by which various objects get recognized
and described as risks. Such an understanding ascribes risk representation
technologies a pivotal role in constituting and institutionalizing what comes to be
seen as ‘risk objects’ and as legitimate ways of managing risks. As Power et al.
(2009: 303) point out, “This conception frames our attention to the routine
management systems and instruments, including definitions and categories for
representing contingent outcomes as risks.” Such instruments are thus seen as not
merely describing, but also performing risks by introducing new understandings of
responsibility, accountability and decision making (ibid.). In his analysis of the
recent risk management discourse of “enterprise risk management”, Power (2004,
2007, 2009), describes how regimes of corporate governance, such as the Sarbanes
Oxley Act, the Basel accords and COSO guidance on monitoring internal control
4
systems are constitutive of a new type of “risk governance”. These regulative
regimes emerged in the 1990s as a response to increased pressures for transparency
and accountability of the risk analysis process itself, thus emphasizing the
managerial processes by which risk assessments are made rather than their content
per se (Power, 2007). The necessity for giving account of accepted risk
management procedures leads to a preference for rationalism and standardization,
where risk management itself becomes the object of secondary risk management in
order to prevent the ‘reputational risk’ of not being able to testify that a proper risk
management process is in place (Power, 2007; Power et al., 2009). Essentially two
problems arise from this development. First, the excessive focus on producing
legitimate accounts of risk management may lead to a decoupling of risk
management technologies and the actual practice of identifying and dealing with
(primary) risks. Second, professional judgment that cannot be supported by
standardized risk management technologies might become suppressed as it loses
legitimacy relative to such technologies, thus fostering a culture of defensiveness
and blame avoidance rather than the ability to critically envision alternative futures
(Power, 2009).
What characterizes enterprise risk management technologies? The ERM discourse
calls for integrated risk management technologies, i.e. comprehensive risk
assessments of quantifiable and non-quantifiable risks that are linked to strategic
objectives and internal control systems. According to Mikes (2009), two sets of
techniques are characteristic of ‘risk-based internal control’, scenario analysis and
decision tree methods borrowed from the strategy and decision making literature on
the one hand, and risk mapping, risk self assessments and risk reviews originating
in internal audit, on the other. The latter, judgmental methods become particularly
important for the assessment of non-quantifiable risks and for the provision of
overview in correspondence to ‘risk governance’ requirements: “[t]he emphasis on
risk identification systems gives technologies of risk visualization or ‘mapping’ a
more central position in the management process than risk calculation; governance
requires overview instruments” (Power, 2007: 80). Judgment-based risk maps, the
focus of this paper, thus constitute central ERM technologies that have become
institutionalized as tools mainly for senior management. They create representations
of a rational risk management process and thereby constitute “a trail of evidence for
5
regulators” (ibid.: 81), but may not be very actionable and functional for internal
decision making.
Empirical studies investigating risk representation technologies as they are enacted
in organizational practice are scarce. Woods (2009) investigates the use of risk
maps in the Birmingham city council. Taking a contingency perspective, she
proposes that risk management as enacted by risk mapping in a public services
context is contingent on central Government policies, the organization’s size and
features of information and communication technology
such as the possibility of
automatic update and the availability of risk registers on the intranet. Arena et al.
(2010) investigate practice variation in ERM along the dimensions of rationalities,
experts and technologies (Miller and O’Leary, 1987; Miller and Rose, 1992),
focusing on the extent to which ERM practices are integrated in or decoupled from
everyday business. They find that ERM practices and their decoupling or
embeddedness vary depending on pre-existing organizational logics. ERM becomes
more integrated in everyday decision-making when it is linked to a ‘pervasive
performance rationality’, when risk experts create a continuous challenge to predict
risks and when ERM is combined with relevant performance indicators in a
measure such as profit-at-risk, rather than depicting risks on qualitative risk maps.
Similarly, Mikes’ (2009, 2011) studies of ERM practices in different banks provide
an account of how different ‘calculative cultures’ conceive of ERM, distinguishing
‘quantitative enthusiasm’ from ‘quantitative skepticism’. These studies show that
ERM is enacted differently in different contexts, and describe characteristics of
such practice variation. With their relatively broad comparative focus, they do not
look at specific technologies-in-use in more detail, i.e. in terms of how different
actors draw upon these technologies in concrete decision-making instances, and
what different roles these tools come to play. Furthermore, extant studies have not
addressed the use of risk representational technologies in contexts where
organizational borders are crossed, that is when representations are constructed for
internal decision-making as well as for reporting, control of and giving accounts to
external parties. We seek to address these issues by investigating how risk maps are
implicated in decision-making and communication processes in the course of an
inter-organizational project collaboration.
Studying the performance of risk maps as an interplay of conversation and text
6
Focusing on what risk maps ‘do’ in practice, we take a sociology of science and
technology perspective (Callon, 1986, 1998; Latour, 1987) and draw upon the
Montreal school of organizational communication (Cooren et al., 2011; Taylor
2011; Taylor and Cooren, 1997). Post-humanist approaches in the sociology of
science and technology (Callon, 1986; Latour, 1987, 1994, 1996, 2005) focus on the
mutual engagement of human and nonhuman actors. Technology is investigated as
to how its performance in diverse local contexts brings about socio-technical
macro-agents such as markets (Callon et al., 2007; Doganova and Eyquem-Renault,
2009; Miller and O’Leary, 2007; Muniesa et al., 2007) and organizations (Talyor,
2011; Taylor and Cooren, 1997), and allows for action and control at a distance
(Ezzamel et al., 2004; Law, 1986; Robson, 1992; Rose and Miller, 1990). Of
particular relevance are intermediaries (Beunza and Garud, 2007; Callon et al.,
2007) or ‘mediating instruments’ (Miller and O’Leary, 2007) that circulate within
techno-economic networks and mediate the relationships between distributed actors,
distinct imperatives and domains such as science and the economy. Representation
devices like technology road maps (Miller and O’Leary, 2007), PowerPoint
technology (Kaplan, 2011, Stark and Paravel, 2008), project time lines (Yakura,
2002), standards (Bowker and Star, 2000) and accounting (Quattrone, 2009) seem
to be particularly inclined to take on such mediating roles, as they build a stable
frame of reference, can be transported through time and space and are abstract and
flexible enough to be associated to local concerns and activities. Building upon this
perspective, the Montreal school of organizational communication holds that
technological action is often discursive, as it happens in ‘conversations’ (e.g., risk
management meetings), and draws upon and produces narrative and calculative
‘texts’ (e.g., risk maps) which are embedded in other texts (e.g. cost information,
internal guiding documents and industry regulations) (Cooren, 2004; Hardy et al.,
2005; Taylor, 2011). It is in the recursive relation between texts and conversations
that collective macro-agents come to form and re-affirm an identity in their ‘coorientation’ towards a particular text (Taylor, 2011; Taylor and Robichaud, 2004).
Studying the performance of risk maps from this perspective implies viewing these
devices not as pure representation technologies which refer to an objectively
existing entity ‘out there’, but as constructive devices which bring about the object
which they represent, such as diverse ‘risk objects’ or other economic entities
(Kalthoff, 2005; Quattrone, 2009; Power et al., 2009). The performativity of
7
technological devices is based on their embeddedness in and interdependence with
particular systems of thought, such as economic theory (Hopwood, 1992;
MacKenzie and Millo, 2003), and on certain material and semantic features or
‘affordances’ that allow them to circulate and be appropriated by different agents
(Latour, 1987; Kaplan, 2011; Miller and O’Leary, 2007; Quattrone, 2009; Robson,
1992; Stark and Paravel, 2008). Importantly, technology is seen as influencing, but
not determining particular shared understandings and courses of action, since its
enactment is regarded as a collective human-nonhuman achievement situated in a
particular context (Qu and Cooper, 2011).
Capturing the performance and peformativity of risk maps, we therefore need to
take into account certain characteristics or ‘affordances’ (Gibson, 1979; Kaplan,
2011) of the risk map technology itself, the ways in which the technology is drawn
upon by different actors (Doganova and Eyquem-Renault, 2009; Stark and Paravel,
2008), as well as the tool’s embeddedness in its inter-organizational and regulative
context (Hardy et al., 2005). We thus consider risk maps ‘in action’ and investigate
the role of risk maps during an inter-organizational project collaboration aimed at
upgrading parts of the technical infrastructure in two gas plants in the Norwegian
petroleum industry.
Study Context and Methods
The empirical material originates from a case study on an upgrading project in the
Norwegian petroleum sector. This project involves an inter-organizational
cooperation between three major actor groups, the owner organization which is a
joint venture of eleven oil and gas companies on the Norwegian continental shelf,
the operator organization and the technical service provider organization (TSP).1
The project’s objective is to change obsolete systems and components in the
compressors variable speed drive systems of two plants. The systems being
upgraded during this four year project are essential for the gas flow in and out of the
plants, so that the project is of high priority at the same time as it is endowed with
several dangers and risks. The operator of the two plants is responsible for the gas
transportation system from Norway to Europe and initiated the upgrading project.
The project is supervised and financed by the owner organization. TSP runs the
1
Other actors such as diverse contractors are variably enrolled in the project, too. We focus in our
analysis on the three central actors involved throughout the whole project, but contractors are
included in the analysis to the extent to which they are referred to in risk management practices, e.g.
when they are made a ‘risk object’ on the risk map.
8
plants on a daily basis and is responsible for implementing the technical solutions
during the course of the project. TSP is supervised by the operator. The relationship
between the organizations is illustrated in figure 1 below.
Owners
supervise
report
Operator
supervise
report
Technical Service
Provider
Figure 1: Main actors groups and their inter-organizational relationship
The operator and TSP closely collaborate and are in frequent contact via meetings,
telephone and email. In regular monthly meetings, the operator and TSP discuss the
project status related to major issues such as cost, schedule, risks and upcoming
milestones. The owner organization receives a monthly report from the operator and
is involved in some project meetings. These three actor groups collaborate on
projects such as the one studied in this paper on a regular basis. Thus, interorganizational projects in this context are heavily institutionalized and they are
regulated by various governing documents of the organizations involved, including
regulations for risk management.
Project management in this inter-organizational setting is organized into four
phases: Feasibility, Concept, Definition and Execution (see figure 2). A project is
usually initiated by defining a business opportunity or a particular problem for
which the project shall develop solutions, in this case the obsolescence of particular
technical systems in two plants. Replacing technical systems was considered
necessary from economic, technical and safety perspectives, due to ageing and lack
of supply materials and the risk of a technical breakdown. Once the decision to
conduct the project has been taken by the owners, project leaders are appointed in
the operator organization and TSP, and project teams are set up in both
organizations. The aim of the first project phase, the Feasibility phase, is to
9
elaborate different possible solutions and to evaluate them with regard to their
technical, economic and HSE (Health, Safety and Environment) feasibility. In the
Concept phase, further information is collected so as to select one solution
(“concept”) which is then to be further defined (detailed engineering plans,
scheduling, cost estimates, assigning of responsibilities, etc.) in the Definition
phase. In the final Execution phase, the planned solution is carried out, e.g. the
obsolete systems are replaced by alternative systems. To enter each of these phases,
the owner organization has to officially approve, i.e. a ‘decision gate’ has to be
passed.
Decision
Gate
Feasibility
Decision
Gate
Concept
Decision
Gate
Definition
Execution
Figure 2: Project Phases
Each project phase is organized into the same milestones that are regulated and
proceduralized by various documents. These milestones are 1) phase start-up
meeting, 2) delivery of the ‘decision gate support package’ from TSP to the
operator, 3) ‘Independent Project Review’ (IPR), 4) the operator’s proposal to the
owners to pass the decision gate and provide funding for the next project phase, and
5) the owners’ approval via email, called ‘license-web’. The phase start-up meeting
sets the agenda for the respective project phase. The ‘decision gate support
package’ consists of a collection of standard documents that TSP is required to
complete, giving account of the project content and status. This report is reviewed
by the operator who creates its own version which is then presented in the IPR
meeting. This meeting is a two-days audit involving all three actor groups as well as
external ‘facilitators’ with the aim of evaluating the extent to which the
requirements for this project phase have been met. If the proposal to pass the
decision gate is approved by the owners, the project enters the next phase.
Risks representations got particular attention in internal and inter-organizational
meetings held at the beginning and end of each project phase (‘Phase start-up’ and
IPR), the ‘monthly meeting’ which is mainly a status report between TSP and the
operator, and in meetings explicitly dedicated to risk management (inter-
10
organizational ‘risk workshops’ held at least twice during a project phase, and
monthly internal ‘risk reviews’) (see figure 3).
Start of
project phase
Beginning of
month
Phase
Risk
Start-Up Workshop
End of
project phase
End of month
Risk
Monthly
Review meeting
Risk
IPR
Workshop
TSP
Operator
Owners
Figure 3: Most important project meetings regarding risk management2
Risk maps were the most prevalent tool for risk representation in this context. They
are included in various project governing documents and prescribed by standard
documents such as the ones to be completed within the decision support packages.
Data on the construction and use of risk maps was collected longitudinally in terms
of a ‘projectography’ (Bragd et al., 2008; Czarniawska, 2007). We followed the
upgrading project by observing meetings (45), collecting documents such as
monthly reports, power point slides, project plans and governing documents, and
conducting interviews with representatives of different actor groups involved in the
project (14). The upgrading project started in 2009 and will be completed by 2013.
The analysis in this paper focuses on the first three project phases that have been
carried out from autumn 2009 until autumn 2011. Table 1 gives an overview of the
collected empirical case data.
Data Type
Interviews
Project manager
Project manager
Core member, project team
Core member, project team
Risk facilitator (core team)
Risk facilitator
Owner representatives
2
Organization(s)
Quantity
Operator
TSP
Operator
TSP
TSP
Operator
Owner organization
2
2
3
2
1
1
3
The dotted rectangles indicate which parties are included in the respective meeting.
11
Total
Meetings observed
Risk workshop
Internal risk review
Monthley meeting
Independent project review (IPR)
Other internal meetings
Other inter-organizational meetings
Total
Documents
Overall governing documents
Risk management procedures
Project governance
Monthly reports
14
TSP & Operator
TSP
Operator & TSP
TSP & Operator
TSP, Operator &
Owner organization
TSP
Operator
TSP & Operator
2
1
2
12
2
TSP
Operator
TSP
Operator
Owner Organization
TSP
Operator
1
3
4
3
1
20
20
52
Total
7
14
5
45
Table 1. Summary of Data Sources
We structure the data analysis along the dimensions of ‘conversation’ and ‘text’ as
put forward by Taylor and Cooren (1997). In terms of text, we analyze the
characteristic semantic properties of risk maps as well as their reference to and
embeddedness in other texts such as internal documents and industry regulations. In
terms of conversation, we distinguish analytically between two kinds of patterns of
risk maps in action: 1) conversation patterns that have mainly to do with the
construction and drawing of risk map texts and 2) conversation patterns that have to
do with the drawing upon and reference to existing risk map texts.
Risk maps as ‘text’
Risk maps depict diverse risk objects within a Cartesian coordinate system,
classifying them along two axes, the probability of the risk’s occurrence and the
severity of its consequences, its potential ‘impact’. Depending on these two
estimated properties of a particular risk object, it is ultimately classified along a
traffic light system as red, amber or green risk. Figure 4 shows an ideal-type risk
map template as presented within TSP’s project documentation.
12
Figure 4. Risk map format as represented in TSP’s monthly report
Relationships between risk maps and other texts
Diverse risk objects, such as cost, HSE, schedule, operation, technical integrity and
reputation (‘public issue’) risks, are to be represented on the map. The represented
risks refer to ‘risk registers’ that are set up for all categories of risk objects in
different project groups. Of all risks identified in the various risk categories, the
risks to be considered as most important are displayed within the risk map. Risk
maps do not only exist for particular projects (‘project risk maps’), but also as a
selective combination of several project risk maps in overview figures that display
the most relevant risks per organization (organizational risk map) and the most
relevant risks of several inter-organizational projects taken together (quasi a ‘metaproject’ risk map). Risk representations thus become more abstract the further they
‘travel’ within the respective organizations’ and project hierarchies ‘up’ to top
management levels and through the project organization ‘up’ to the owners.
A specific characteristic of internal guiding documents and regulations in this
context is the heavy focus on project management. Much activity in this industry is
organized in terms of projects, and project management guidelines stress the ‘riskbased approach’ to be taken. Project management, in terms of setting objectives,
planning, coordinating and controlling activities, according to these guidelines,
shall all be linked to risk assessment. At the two plants involved in the upgrading
project, risk maps have been officially introduced in 2000 and implemented in
projects in 2001. This can be seen as a response to a change in the regulative
13
context. In line with other industries, the regulative regime of the Norwegian gas
and oil industry has moved from a prescriptive-based to a performance-based
approach (Braut and Lindoe, 2010; Petroleum Safety Authority Norway (PSA),
2010). Corresponding to what Power (2007) describes as the rise of ‘risk
governance’, under a performance-based regulative regime companies are expected
to prove that they have a comprehensive risk management and internal control
system. Although the concrete type of risk representation, e.g. by means of risk
maps, risk indicators or otherwise, is not prescribed by these industry regulations,
‘internal’ responses to these regulations consistently feature risk map templates as
one of the most prevalent risk reporting tools. However, risk maps were not
completely alien in this industry before the rise of performance-based regulation.
Maps of a similar outlook have been used in a more informal way already decades
earlier. One TSP engineer, for instance, recollected besides conducting quantitative
risk analyses on technical risks also discussing and placing risks that were harder to
treat quantitatively along probability and impact dimensions in a ‘paper and pencil’
fashion in the early 80s. This was done as an informal brainstorming as to what
factors need to be considered when conducting a project. As compared to these
early risk maps, currently risk maps are comprised of a much wider range of risk
objects, and they are institutionally embedded in a vast array of IT templates,
governing documents and procedures of risk reporting within (inter-) organizational
project management.
Discursive characteristics of risk maps
Several semantic-technical aspects are characteristic of risk maps. As other
inscriptions, they are mobile (transportable through different places and times in
printed or digital form), stable and recognizable in outlook (two-dimensional risk
representation and traffic light colour coding), and combinable, i.e. they allow for
aggregation and recombination of information (Latour, 1987; Robson, 1992; Stark
and Paravel, 2008). We will discuss in this section particularly the nature of the
characteristic discursive form of risk maps, that is i) their figurative, diagrammatic
outlook, ii) the type of commensuration that risk maps bring about, iii) their flexible
classification of zones of (ab)normality and iv) their combination of prospective as
well as evaluative signs.
14
Figurative, diagrammatic outlook
Risk maps are diagrammatic, i.e. imaging, techniques. They constitute overview
images, showing in one single diagram how risky or dangerous, overall, the
operations of a particular system, such as an organization, an organizational unit or
a project, are estimated to be. This is done by the ‘textile order’ (Schneider, 2005)
of the tabular system that interweaves two elements, probability and impact, into
one image. The diagrammatic outlook of risk maps combining several quantitative
and figurative elements into one image can be related to perceptions of clarity,
simplicity and instantaneous ‘overview’. Risk maps, therefore, may tend to be
perceived as easy to understand with an impression of getting a good overview of
an otherwise complex arrangement of (inter-) organizational processes. As one
project member commented:
These tables (risk maps) have been calibrated, fine-tuned, and redesigned over
years. They’re working models which may be updated and changed in the future.
But they’re fairly simple to understand now. A traffic light system. It’s clear. It’s
visual. It’s easy to understand. (I-TSP-3).3
The simplicity of risk maps is also related to the selective representation of
identified risks. Only a certain amount of risks can be represented in an overview
image, and the naming of risks needs to be short to ensure readability. Similar to a
representation of key performance indicators, e.g. on a balanced scorecard,
perceived ‘comprehensiveness’ of risk maps goes along with selection and
abstraction.
Commensuration
The tabular system of linking probability and impact ‘standardizes’ qualitatively
different types of objectives-at-risk, such as financial goals, goals of technical
functionality, and work place safety along two homogenous dimensions, thus
making risks to these objectives appear commensurable (Espeland and Stevens,
1998) and allowing for categorization and prioritization of risks. The symbolism of
traffic lights supports this perception of homogeneity and comparability, as it
integrates the two dimensions into a ranking system by setting thresholds as to
which probability-impact combinations are more or less ‘normal’, or put in more
3
We refer throughout the paper to empirical data by means of codes that indicate the type of data,
i.e. interview (I), meeting (M) or document (D), and the (inter-)organizational affiliation, i.e. TSP,
operator (OP) or owner (O).
15
interventionist terms, ‘tolerable’ or ‘intolerable’, thus requiring intervention or not.
In the sub-text to the risk map template provided in governing documents, green is
associated with ‘risk acceptable, no action required’, amber with ‘risk acceptable,
risk reducing action should be implemented’, also described as ‘ALARP – As Low
As Reasonably Practicable’, and red with ‘risk not acceptable’ (Renn, 2008). The
green-amber-red colour combination has been used for traffic regulation since the
1920s and the meaning and connotations of this symbolism is arguably collectively
shared and highly institutionalised. Traffic lights therefore work effectively as
semantic markers between different ‘zones of acceptability’, enabling a seemingly
clear ranking of represented risks regarding their urgency of intervention.
Flexible zones of (ab)normality
The distinction between tolerable and intolerable on the map is not a purely
mathematical-statistical matter, since which spectrum is considered to be ‘normal’
or ‘acceptable’ is based on a qualitative judgment rather than on a mathematically
based indication (cf. Link, 1996). Such threshold values are therefore, in principle,
flexible and re-locatable on a continuum. As markers between normal and abnormal
cannot be purely mathematical, the border is set by means of semantic-symbolic
markers, i.e. the traffic lights. The operator’s project risk map, for instance, features
more amber areas (8) than green (3) and red (4) areas as compared to the TSP’s
map in which all three areas are equally distributed. It thus represents an unequal
colour distribution, making more probability-impact relations ‘tolerable’ (see figure
5).
16
Consequence
Minimal
Small
Probability
Very Likely Likely 20% - 50% Less Likely Unlikely 1% - 5%
50% - 100%
5% - 20%
Bid waiver
Significant
Very significant
Interfaces at site
Contractor
capacity
c
Compliance with
TR
Personnel risk
Potential DCP
Ex certification
Installation
philosophy contract
Functionality of
the system
Figure 5. Operator’s risk map used in the upgrading project (Concept phase)
Twin prospective-evaluative connotation
Furthermore, risk maps are prognostic images in the sense that the dimensions of
probability and impact are estimates of potential future events. As other prognostic
representations such as growth curves, series and histograms, risk maps use
mathematical-statistical elements, particularly probability values, tabular format and
Cartesian coordinate system of x and y axes. At the same time, however, the traffic
light qualification can be read as indicating past and current performance of the
accounted for entity, i.e. the project. If all identified risks are placed in the green
area, for instance, the project appears to be ‘on track’. Risks maps thus have an
ambiguous prognostic-evaluative connotation, making it in principle amenable to
prognosis, planning and scheduling as well as performance evaluation. Along with
the potential openness to include a wide range of different risk objects and
objectives-at-risk, be it risk to health and safety, technical functionality or risk of
delays and cost overruns in a project, the twin prognostic-evaluative connotation
allows to discursively link different areas of expertise and is well suited to the
17
proclaimed ‘risk-based’ project management approach, linking concerns with risk
to project management agendas.
Other characteristics could be added here, so that our list is not meant to be an
exhaustive catalogue, but rather a suggestive description of the most apparent
discursive features. Importantly, these characteristics are not independent of past
and current uses of risk maps, as they have been developed and become
institutionalized as a particular combination of signs in recurrent interaction. It is
such interaction or ‘conversation’ (Taylor, 2011) in which risk maps are produced
and referred to that we attend to in the following section.
Risk Maps in Conversation
Our analysis of how risk maps are performed in the studied inter-organizational
setting focuses first, on how the involved actor groups constructed and changed risk
representations and second, on how they drew upon and mobilized such
representations in the course of the project collaboration.4 In each section, we
describe observed practices of risk map conversations and highlight characteristic
elements of these practices.
Drawing the map: Identification and placing of risks
As ‘empty’ templates (Quattrone, 2009), risk map formats are drawn upon as texts
that need to be filled with content in the course of a project. During the upgrading
project, both the TSP and the operator created their own versions of risk maps, and
they were required to constantly review and update their maps. Reviews of risk
maps took place in meetings attended by representatives of different project subgroups such as HSE, cost and engineering groups. Sub-groups developed their own
risk registers in separate sub-group meeting, listing a set of risks in their area of
responsibility. The construction and update of risk maps involved the selection of
the most ‘exigent’ risks out of these ‘lower-level’ registers, discussion of potential
additional risks, and the placement of identified risk objects along probability and
The distinction between ‘drawing of’ and ‘drawing upon’ risk maps should be understood as an
analytical one only. One could argue that the map is drawn upon when it is constructed. By
distinguishing these processes, we aim to identify characteristics of processes in which risk objects
are defined and placed on the map versus characteristics of processes in which existing maps are
drawn upon, even if these two processes are often intermingled in practice.
4
18
impact dimensions. In the following, we describe characteristic patterns of these
processes in more detail.
1) Creation of inclusive overview categories
Identification of risk objects to be placed on the map often did not imply a simple
selection of the top risks as ranked in existing sub-group risk registers. Instead,
more inclusive risk objects were defined that ‘summarized’ a few more concretely
defined risks under abstract categories. For instance, ‘functionality of the system’
was defined as a risk object which comprised different uncertainties as to whether
the new technical system to be implemented in the upgrading project would work at
least as well as the current system operating at the two plants. Interestingly, such
overview categories tended to be defined in terms of ‘objectives at risk’ (e.g.,
technical functionality) rather than in terms of ‘risk to an objective’. In this way, the
risk map rendered relevant project objectives visible rather than particular risks to
these objectives. To be sure, the placement of such objectives at risk within green,
amber or red areas could still give an indication of the estimated threats to an
objective, but the particularities of such threats disappeared from sight. Other
constructed risk objects did refer to risks rather than objectives at risk, but their
abstract definition in many cases implied an unclear relationship to a particular
project objective. ‘Interfaces at site’, for instance, was defined as a risk object
which referred to risks emanating from other projects that are conducted in parallel
at the plants to be upgraded, as well as from the necessity to continue plant
operation while undertaking the technical upgrade. A wide range of risks and
related objectives at risks can fall under this category, such as technical problems,
project delays, unexpected costs and increased danger for plant personnel.
Identifying risk objects thus seemed to follow a logic of comprehensiveness and
abstraction rather than selection and specification. At times, project members
criticized risk maps as being too abstract, so that it is hard to understand what lies
behind a risk bubble. On several occasions, actors got frustrated with represented
risks on the map that they couldn’t make sense of, as they forgot over time the
broader context and meaning of the represented risk or ‘objective at risk’ and the
associated actions, or couldn’t interpret it because someone else – not present at the
current meeting – had been originally responsible for placing that risk.
19
2) Quick closure of risk placement discussions
As to the specific placement of a risk object on the map, agreement was reached
surprisingly fast during meetings. Most often, the first suggestion of placing a risk
on the map was accepted so that the risk got placed without further discussion.
Once risk objects were placed, meeting participants quickly moved on to other
issues.The process of risk assessment with regard to their potential impact is meant
to be supported by guidelines for impact categorization (see Appendix A), and
should also be informed by “prevailing risk tolerance criteria (set by risk owner)
and [by] risk appetite” (D-TSP-3). Actual risk placement decisions were mostly
taken without discussing and matching potential impacts to the categories specified
in these guidelines. In interviews, project members commented on this observation
by stating that the exact placement was not that important, since this wasn’t an
exact science anyway. More relevant would be that risks get dealt with and
ultimately reduced. However, the lack of discussion on the potential impact of a
particular risk object, along with the abstraction as discussed above, went along
with actors’ uncertainty and conflicting interpretations regarding what a risk bubble
stood for, and in turn, what mitigating activities should be undertaken. For instance,
some project members referred to the risk object termed ‘personnel risk’ as
personnel safety at risk due to the vicinity of running compressors when conducting
the upgrading work, while others referred to it in terms of a risk to technical
functionality of the running compressors caused by upgrading workers’ potential
incautious use of machinery. In this way, personnel was both seen as an objective at
risk and as a risk to technical functionality. Such differences in conceptions can
imply fundamentally different mitigating activities. Hence, as several mapped risk
objects referred comprehensively to different types of risk and impact at once, it
made practical sense for project members to ignore predefined impact categories
and apply judgment in where to place a particular risk object. At the same time, this
practice furthered multiple interpretations and confusion as to the meaning of a risk
object, as project members did not make related impacts explicit.
3) Representational inertia
Furthermore, a reluctance to change the original risk map in the course of the
project was discernable. Risk mapping seemed to be path dependent, so that
removing risks as well as adding new risks occurred only rarely, and with perceived
20
delay. The stable risk map stood in contrast with talk about newly emerging risks
among project actors. Such change in perceived risks materialized rather at ‘lower’
levels of risk representation, e.g. in the risk registers of project sub-groups, such as
the engineering group concerned with technical risks or the accounting group
concerned with cost risks. Once established, risk maps seemed to develop a life of
their own, being only loosely coupled to more operational discussions in which new
risks might come up, so that there are incongruent risk representations on different
levels. At times, the resulting incongruence was recognized and discussed in
meetings, and interviewees talked in this regard about insufficient updating of the
maps. In an internal project review meeting, for instance, a discussion arose about a
new risk that had not been included in the risk map. The operator’s project manager
argued that he had not included that risk because he wanted to wait and get more
information about it from TSP, i.e. to be more confident about the nature of the risk
before putting it on the map. Other project members, however, criticized this
attitude and cautioned that risks should be mapped as early as possible (M-OP-9).
Path dependence of risk maps did not only mean a tendency to keep the same risks
on one of the actor’s (e.g. the TSP’s) map, but also a tendency of the operator to
simply take over the risks as represented in the TSP’s map when creating the
operator’s own risk map. Some actors perceived this practice as problematic (MOP-9, M-OP-10, I-GL-2), cautioning against the convergence of the TSP’s and the
operator’s risk maps into a single project’s risk map. They argued that taking over
the same map could be regarded as a ‘security blanket’ which would work mainly
in a ritualistic way rather than critically engaging with the specific risks that their
own organization is exposed to.
4) Representing ‘synergy’
One distinctive rationale of risk representation in this inter-organizational context
was the use of identical risk maps, i.e. maps representing the same types of risk
objects, for both plants in which technical systems were to be updated, and also for
a short period for two other projects that were managed within the ‘project
portfolio’ by the same project teams.5 Dealing with upgrading two different plants
The total ‘project portfolio’ included besides the studied project another upgrading project and a
project preparing for processing of products from a new oil field. The latter project differs in many
5
21
in the same project, as well as dealing with different projects within one ‘project
portfolio’ was frequently justified with reference to generated ‘synergy’ effects.
Such synergy was not clearly operationalized, e.g. in a specified amount of cost
savings. However, the fact that the same risk maps were used for these different
undertakings was referred to as ‘evidence’ that project management synergies could
be achieved. The presentation of a common risk map for all three projects in the
monthly report and monthly meeting was soon openly contested and abandoned, as
the operator was concerned about failing to understand the risk map and felt the
need to distinguish project-specific risks. Using a common risk map for the
upgrading of two different plants, however, has been practiced in all project phases
during the study period. This practice is legitimized by pointing to the fact that the
same project team runs the project on both locations, that many of the risks are
identical and that plant specific risks are not problematic, as risk owners would take
them into account in their specific action lists. Two separate, but nearly identical
risk maps managed by the same team would, in contrast, be time consuming,
confusing and pose challenges for documentation, updating of the maps and the
action lists. Thus, ‘synergy’ was made visible by means of identical risk maps.
While all actor groups defended the practice of using a common risk map, they did
at times utter concern over one of the plants (located geographically where most of
the project team of the TSP is situated and close to the operator’s location) getting
more attention than the other plant (where actually most of the work is to be done).
Project members did not explicitly relate this perceived imbalance to the use of
common risk maps, although identical maps can imply that specificities of the
‘neglected’ plant do not get mapped.
5) Omitting risks
Some risks were recognized as relevant by actors in project meetings, but did not
get represented in the map. We observed different ‘non-placement’ practices in this
regard:
First, certain risks got excluded from the map because they were regarded as
‘dangerous’ to report. The perceived danger was related to offending another actor
group and disturbing the relationship by officially naming a risk that results from
respects from the other two. Only the studied upgrading project concerns two plants, the other ones
are related to only one of these plants.
22
the actions of another actor group. The operator, for instance, did not feel
comfortable with officially identifying TSP’s ability to manage the project at the
time as one of the operator’s project risks, although this was considered to be one of
its major risks for a short period at that particular project phase. Both in meetings
and in interviews, actors referred to non-representation of this type of risks as
relevant face-saving activity within inter-organizational cooperation, with justifying
statements like “You can’t flash this right in their face” (I-TSP-4), “That would be
very provocative” (I-OP-1), and “We don’t have a tradition for doing it like that” (IOp-1). One operator representative explained the problem of ‘dangerous’ risk
representation in an interview as follows:
The point is that you have to look at in what setting you’re going to use it (risk
map). Where is it going to be used? If you’re showing to a cooperation partner a
risk that the cooperation is bad, then I think what you’re doing is actually helping
the risk become a reality. So, in some respects, I’ve also seen ones where we don't
think the sponsors will approve the project. We will not put that on a risk matrix
that we show to the sponsor, because that will just… “You’re not expecting us to
approve it.” So, I think the risk register will have a certain amount of, let’s say,
political correctness about it, depending on where it’s to be shown. (I-OP-2)
When it comes to other actors external to the inter-organizational project
management, such as contractors who are not exposed to the risk maps, project
members found it, in contrast, unproblematic to name these as risks on the map (IOP-1, I-TSP-1, I-TSP-4).
Furthermore, there was sometimes disagreement over which risks should be placed
in the map. One underlying cause of such disagreement were divergent
understandings about the relevant time horizon to be taken into account when
considering ‘objectives at risk’. While some held the view that risks to long-term
project objectives should be considered, i.e. impacts of the technical upgrade on the
long-term technical functioning, safety etc., others promoted a narrower view on
risks to the objectives of the respective project phase. One of the defined objectives
of a project phase is to move the project into the next phase, i.e. to get approval by
the owner organization. Evidently, ‘objectives at risk’ and consequently the risks to
be considered as most relevant differ with such divergent time perspectives taken.
The following episode exemplifies such divergent understandings.
In a risk meeting of the operator during the Definition phase of the project, a
discussion arose over the HSE risk of working under the condition of limited space
during the plants’ upgrade, which would take place in the Execution phase. Project
23
members had different opinions on 1) whether this risk should be mapped and
addressed already in a stage of the project in which no phase-specific objectives
would be impacted by that risk and 2) how to place this risk if it gets represented
(which colour category should be assigned):
Project member (PM)1: This [risk ‘HSE in limited space in a live plant’] would be
a risk during the operation/execution phase.
PM 2: This risk map should be for the definition phase. What are the procedures
in [the operator] related to this?
PM 3: I have also wondered about that.
PM 4: It is possible to include risks for the whole project period.
PM 3: Our focus must be on this phase.
PM 4: We must assess the criticality of the risks, and this changes through the
different phases.
PM 3: It is not even sure we make it to the 4th [Execution] phase.
PM 2: Shall we mark it as red now?
PM 4: In this phase it is not red.
PM 2: I think we have different philosophies and practices on this. (…) (M-OP11)
The main argument for placing only phase-specific risks on the risk map was that
such a focused picture would allow for concentrating project activities towards the
main objective of this phase which is to proceed to the next phase, whereas the
main argument against this position was that risks and action plans should be
identified as early as possible so as to prevent them from impacting overall project
objectives. As to the colour coding, some argued for categorizing this risk as a red
risk because no risk reducing activities have yet been implemented, while others
argued it should be marked as green, since it was not critical in the current project
phase.
Similar to the example above, in a monthly meeting between TSP and operator, a
representative of TSP explained the incongruence between the TSP’s risk map and
a risk described as ‘major risk’ in TSP’s monthly report to the operator as resulting
from different perspectives on ‘objectives at risk’. The more ‘general’ risks to the
objectives of the respective project phase, typical risks at this stage for different
kinds of projects, would therefore not necessarily translate into the more ‘specific’
risks of this project to be reported in the risk map:
PM 2 (operator): I see you have a major risk here: ‘Late changes in scope’.
PM 3 (operator): Shouldn’t there be coherence between the risk map and what
you describe as major risks? (…) You recently had a risk review, the risk
should have been included then.
PM 5 (TSP): I hold the risk map to be more specific, and the monthly report to be
more general, to be on a higher level. (M-OPTSP-6)
24
Even though project members discussed such inconsistencies and agreed that they
were problematic, there seemed to prevail an understanding that they cannot be
avoided, so that in some meetings the existence of divergent parallel risk
representations was accepted and not further commented upon.
Third, some project members criticized the map’s abstraction also with regard to the
fact that only the ‘top ten’ risks are displayed on the map, while excluding other
risks from sight. One owner representative who expressed concern over the
simplification of commonly used risk management technologies,6 mentioned the
colour coding as being particularly problematic: “You get blinded by the colours”.
He was concerned that colours direct attention to just the red risks, omitting the
other risks which could be or could become more dangerous (I-GL-1).
Overall, the construction and update of risk maps was a non-trivial matter, based on
assumptions of relevant ‘objectives at risk’, time horizons and levels of generality
of risks to be represented. Also, the process was complicated by considering sociopolitical aspects, such as avoidance to openly denounce another actor group as a
‘risk’. In general, there was a tendency to depict the same risks on the map
throughout the course of the project, these tended to converge over several similar
projects and between actor groups, and as the project progressed they tended to
move on the map towards the green zone.
Drawing upon the map: different roles of risk maps in the project
We now turn to the way risk maps are drawn upon in project management practices
by different actors. Interestingly, it is difficult to identify a commonly accepted
purpose and ideal use of risk maps in this context. In regulations and procedures,
the necessity and relevance of identifying, representing and managing risks is
explicated with reference to an “enterprise-wide risk management approach”, so as
“to make sure that our operations are safe, and to reach our corporate goals in
compliance with our requirements” (D-TSP-5). The particular rationale for using
risk maps is presented in governing documents as increasing efficiency in reporting
and decision-making (D-TSP-3, p.4). As apparent already in the previous section,
and as we will further illustrate in this section, risk mapping was not primarily used
6
This interviewee has been working in this industry for many years and perceived current risk
management practices as markedly different from earlier ones.
25
as a tool to spur critical discussion of emerging threats, and was at times even
regarded as impeding attention to relevant risks. Many project members saw risk
mapping in this inter-organizational setting nonetheless as a relevant activity which
should not be discarded. We will describe in the following what ways of drawing
upon risk maps were discernable in the course of the project, revealing types of
perceived usefulness that go beyond the formally espoused aspirations of safety,
goal achievement and efficient reporting.
1) Defensive construction of audit trails
A few project members stated that risk maps were used primarily in order to
comply with regulative requirements. Thus, along with other documentation, risk
mapping insured against potential blame. Such ‘insurance’ activity was seen as
necessary, but problematic as it took away attention and time from what were
considered to be more relevant activities. An engineering manager at the TSP, for
instance, was particularly pronounced in voicing his concern over the inclusion of
perceived unnecessary risk objects in the map. Since regulations recommended to
account for a broad mix of different types of risk objects in risk representation, he
felt that technical risks which he considered as most complex and relevant in the
upgrading project became under-represented in favour of other risk types such as
HSE risks.
We mustn’t have too much attention on things that are not relevant. (…) What we
have mostly discussed in this project actually are problems around noise inside a
work station. There has been too much focus on this, and also on how to bring
equipment into the building. And when you look at the complexity of the
equipment that is being replaced, and all the issues around this, how it is going to
be installed and so on, it is a paradox that so much of the attention is on these
simple things, instead of having a greater focus on what really could delay the
process.
I: What do you think is the reason for this?
The main issue, I think, are all the terms and regulations. When there is so much
of this and a wide range of governing documentation that very few people
understand, the totality of it, this will result in an uncertainty were one would
cover oneself with everything between the earth and the sky (Norwegian
expression), even when it is not relevant. To take a decision and say ‘we don’t
need this’ is difficult. So one keeps on driving on the same track, to cover up all
eventualities. Then the focus on the most precarious things disappears, but
perhaps one should have spent most of the time on these things (…) You have to
document that you have been through it, and if the project goes wrong at some
point, you can go back and see if the related factors have been addressed earlier.
Whether the risk picture helps you to avoid it or not, is another issue. (I-TSP-2)
26
This interviewee clearly puts forward his engineering perspective of which risks
should be focused on relative to others. More importantly, however, he describes
perceived threats and uncertainty posed by guidelines and governing procedures,
leading project members to defensively produce audit trails so as to be able to prove
compliance with procedures in case something goes wrong. He thus perceives
increased concerns with secondary risk management which permeate professional
attention and activities (Power, 2007). Not everyone expressed such concerns,
however, and some stated that whilst such attitudes towards risk representation have
been present in the past, risk mapping has come to be used in less defensive ways in
this context over time (I-OP-2).
2) Prompting a sense of alignment and concerted action
Despite the apparent confusion as to the meaning of mapped risk objects,
representational inertia, and omission of risks, some project members stated that the
map helped to align the perspectives and activities of different project actors with
regard to the most relevant challenges:
I think it helps with alignment of the project with regard to what the challenges
are, absolutely. (…) You need to remind yourself of what you agreed on. It helps
align people on what the challenges are, either within a group or across groups.
(…)
I: What does alignment mean?
Alignment means that you agree, at least, on what the major challenges are. It’s
an agreement on what the main challenges are of the project, what the agenda
should be, and what we should be looking at. (I-OP-2)
Also during meetings, some project members associated risk discussions around the
map explicitly with notions of alignment, for instance when assessing the ‘success’
of inter-organizational meetings, as illustrated in the following conversation at the
end of a risk review meeting:
PM operator: I think this has been a good review, it is a good thing that we are
aligned.
PM TSP: We are well aligned, that’s true. (M-OPTSP-9)
A sense of alignment was thus achieved as different actors co-oriented towards the
map (Taylor and Robichaud, 2004). Not all actors did regard alignment of
viewpoints and activities as desirable, however. Alignment by means of the map
was also seen as problematic in the sense that collective attention could too quickly
converge towards the mapped risk objects, while disregarding other potentially
27
relevant aspects (e.g., M-OP-12). Clearly, all actors saw risk maps as influencing
their project work, not only because time had to be spent to draw the maps, but also
because they were seen to influence collective attention and action. This was
apparent, for instance, when risk maps were used as a means to structure interorganizational meetings, such as review meetings between TSP and the operator. As
one project owner at the operator stated, the top ten risks on the operator’s map are
used as an agenda for meetings with TSP:
I think the way the risk map is used, hopefully, is that it legitimizes which themes
we’re bringing up with the TSP—so our focus would be with the top ten risks. If
we move outside the top ten risks, then you have to ask yourself, “Why are you
asking that question at all?” If it’s relevant, then maybe it should be on the list. If
it’s not relevant, then you shouldn't be asking it.” What is a good way once you
present it? Here's the operator’s view of the risk table. Generally, they will agree
with it. That then legitimizes the subject you take up in the monthly meetings. If
you didn't have that list, it would just be a, “What can we think of today?” type of
approach. (I-OP-2).
In this way, the representation of a particular risk object on the map strongly
impacted whether it got discussed in the meeting or not. As such, attention and time
was dedicated to represented risks, regarded by some in terms of effective
alignment of viewpoints and activities, and by others in terms of problematic
convergence.
3) Making up ‘the project’ and establishing commitment to the project
collaboration
As discussed earlier, risk maps tended to converge between organizations and were
identical for both plants to be upgraded. The use of identical project risk maps for
the two plants was a means to make proclaimed synergy effects from including both
plants in the same project visible. In this way, the risk map was used to legitimize
the way the project was organized, but it also gave ‘the project’ a recognizable
outlook and identity (Taylor and Cooren, 1997; Taylor, 2011). ‘The upgrading
project’ did not only involve distributed actors working at different places
associated to different formal organizational entities, but membership to the project
constantly changed over the project phases, so that only a few actors worked in the
project during all project phases. What exactly ‘the project’ is made of is therefore
not entirely clear, and even the defined scope of the project can change over time.
Arguably, a broad set of artifacts and inscriptions are implicated in making up the
28
project’s identity, such as meeting protocols, time schedules and governing
documents. However, in contrast to long lists of protocols, technical specifications
or cost tables, the risk map gives the project a comprehensive image that can be
understood ‘immediately’, even without knowing on what concrete information the
map is based and which mitigating activities are undertaken by whom at a particular
moment in time. Since risk objects are expected to and tend to move towards the
green zone in the course of the project, the risk map envisions a future of the project
that should become increasingly certain and it is a means of giving a sense of
identity and stability to an otherwise only vaguely defined entity. One interviewee,
for instance, stated that if all project members would be present in all project phases
and places, risk maps would be less relevant. But since different actors, situated at
different places, join the project at different times, it becomes relevant to build up
stable project artifacts such as risk maps:
For the project itself, the risk map is not a be-all and end-all. Each person has a
risk picture in his own head that you base the work on. But for the project and for
other people that come in at a later stage, you need documentation. In that regard
the risk map tool serves a purpose. If everybody would follow the whole project,
the whole period, it is not revolutionary to put some words into a program (I-TSP2)
In a similar vein, project members referred to risk maps often in terms of relevant
proceduralized reporting milestones which give structure to the inter-organizational
work, and allow the project to ‘move forward’ as long as the risk picture remains
tolerable. Risk maps that do not feature red risks thus signal to project members that
the project is ‘alive’, in a ‘healthy state’, and will not come to a halt, since identified
threats are ‘under control’. A TSP project member described the relevance of risk
maps for inter-organizational cooperation in this regard as follows:
It will help their (operator’s) decision process, of course. They can see that we’ve
made a good risk assessment around this project, and that will help them in their
decision process.
I:
In what way?
They increase their confidence. We’re talking about confidence. How confident
are we that we’re going to perform the work within the right time, within the right
budget, without any injuries? (…) Then they can confidently go to their manager
and say, “TSP has done a good job here. We’re confident that we’re going to
come within the budget frame.” Then their management team will go up to the
owners and say, “We’re confident that they’ve done a very good job. They’ve
looked at all the aspects. Of course, things could pop up totally unexpectedly but
we’re confident that they’ve assessed the situation properly, (…) So, they’re
confident that they can go up and say, “We need this amount of money to install
this item.” (…) If we haven't followed the guidelines or haven't followed the
29
documentation exactly, this might pop up and they’ll say, “We’re not confident
with this. I think we need to go back and make a reassessment. We’ve got to
design again. Stop the project. We’re not going to sanction this project. We’re not
going to deliver money.” (I-OP-GS)
Confidence and commitment to the project by different actors in this interorganizational collaboration is thus built by means of delivering standardized
assessments and reports, including the risk map. If the report is not complete, “if we
haven’t followed the documentation exactly”, this would prompt suspicion of owner
representatives and might delay the project’s progress through the ‘decision gate’.
As Kalthoff (2005) in his analysis of credit risk calculations in banks argues,
symbolic machines such as risk calculations and models imply a shift from truth to
‘correctness’. What is assessed by headquarters’ risk analysts (or the owners in our
case), is whether calculations have been performed correctly according to their
internal calculative logic, or in our case: whether regulations have been followed
and the documentation is complete. Delivering the risk map in the expected format,
embedded correctly in the monthly report, thus represents commitment and
confidence of the reporting party, at the same time as it creates confidence in the
receiving party. This works despite actors of all parties are aware that the map does
not show ‘the whole picture’.
4) Managing boundaries and mediating concerns
By being implicated in the discursive construction of the project’s identity, risk
maps also mediate concerns and interests of the different actors in the project. They
act as a forum for negotiating the boundaries of the project, what Kaplan (2011)
calls with regard to PowerPoint ‘cartographic’ efforts to adjudicate interests.
Limitation or expansion of project boundaries is often driven by actors’ interests in
setting a particular topic on the agenda, or positioning it as outside the realm of the
project. To frame an interest or concern in terms of ‘risk to the project’ seemed to
be seen as an opportunity to be heard and to negotiate for resources. As discussed
earlier, there was an ongoing discussion whether project risks and objectives-at-risk
should be defined narrowly for a particular project phase or more broadly in terms
of goals that the project should achieve for the plants after the upgrading has been
installed. Such ambiguity allowed a wide range of concerns to be uttered in the
name of the project. The project risk map was used in this regard as place to start
30
such negotiations. Thus, instead of directly negotiating resources for a particular
activity, actors sought to first place a concern on the map as a new risk object, so as
to legitimately receive resources to mitigate this risk. For instance, during the
feasibility phase, TSP actors in one of the plants sought to include ‘loud noise’ in
the compressor area of the plant as a HSE risk on TSP’s map. This risk should be
mitigated, they claimed, by means of building a silent room which would protect
workers from the noise. In several meetings between TSP and the operator during
the Concept phase, the operator’s project manager argued against the inclusion of
this risk, since he did not regard the noise problem as linked to the upgrading
project, but as a more general problem of plant operations. As his job as a project
manager in the operator is to keep the project small and simple, he sought to define
the project in narrow rather than broad terms. Seeking to prevent further attempts to
expend the boundaries of the project, he set up a new risk object on the operator’s
map, called ‘change in (project) scope’, and ultimately the plant gave up on this
issue and dealt with the noise problem without building a separate room.
Concerns were not only mediated by means of the risk map in terms of attempts to
expand or limit the project’s boundaries, but also by means of seemingly depoliticizing and rationalizing inter-organizational queries and lack of trust. Actors
found it easier to raise concerns over data delivered by another actor group, such as
technical tests or cost forecasts, by means of framing the concern in terms of ‘risk’,
as explained in the following quote:
We have another discussion always going on in a project where TSP has come up
with a forecast that we believe is too low. Instead of being categorical and saying,
“We think you’re too low in costs,” we say, “There’s a risk, and we evaluate the
risk to be higher than you do.” That could be an argument where we use the risk
map to put forward a point of view. The alternative would be to say, “We don't
believe you,” which would be harder. (I-OP-2)
Raising concerns with risk and making these concerns visible on the project risk
map was thus used as a way to focus another party’s attention to a particular issue
so as to implement mitigating actions. However, actors also referred to risk
documentation in order to shield themselves from other parties’ influence. In some
meetings, reference to efficiency of risk mapping and adherence to standards was
made in order to keep another party from ‘intruding’ into one’s sphere. In one
meeting, for instance, a TSP representative argued for the sufficiency of risk
31
reporting and against access of the operator to more detailed information in a
meeting as follows, “The system is like this, we can’t double up everything” (MOPTSP-6). Furthermore, TSP sought to not let the operator “pollute” the TSP’s risk
map “with other concerns outside our field of responsibility (…) to be able to focus
on our own risks” (I-TSP-1). TSP actors were thus anxious that the operator’s
members would use the risk map to place their concerns on TSP’s map, so as to
shift responsibility to TSP.
Overall, risk maps got used in inter-organizational communication as audit trails to
insure against potential blame, but also as a tool that prompts a sense of ‘alignment’
between distributed actors, gives identity to the macro-agent of ‘the project’, and
serves as a platform to negotiate boundaries of the project and mediates different
interests and concerns.
Discussion and conclusion
The case of risk maps applied in an inter-organizational technical upgrading project
illustrates different ways of how these representation devices take shape and are put
to use in the setting of the Norwegian petroleum industry. We focused on risk
mapping as one prevalent and widely institutionalized technology associated with a
broader Enterprise Risk Management discourse (Mikes, 2009; Power, 2007). In the
following, we discuss our case more explicitly in the light of previous research on
ERM practices, linking observed risk map conversations to discursive
characteristics of risk map texts.
Secondary risk management and decoupling
Risk maps can be seen as powerful devices of secondary risk management (Power,
2004, 2007) in that they offer a simple ‘overview’ picture of identified risks that
works more as an evidence that risk management procedures are in place than
giving visibility of the identified risks and associated concrete risk reduction
activities. As a standardized tabular image, it can be integrated in governing
documents and reports, promising comprehensibility, comparability and thus
efficient reporting. Risk maps were implicated in secondary risk management in the
studied upgrading project to the extent that they were drawn upon as auditable tools
allowing to ‘pass decision gates’, and as reference points to ‘insure’ oneself against
potential critique or blame should something go wrong. In line with Power’s (ibid.)
32
analysis, the usefulness of risk maps as audit trails was by some actors contrasted
with practical problems in using them as devices for spotting and discussing early
warning signals. Project members regarded risk maps as problematic in this regard,
since the ten represented risk objects on the map were abstract, vaguely defined and
not always clearly linked to more specific risk registers. That is, actors did not
blindly accept the use of these representations as ‘good’ risk management activity.
Both, producers (i.e., TSP and operators) as well as receivers of this information in
governing positions (i.e., operators and owners), were often aware of the pseudocontrol that the tool provides, as they criticized its abstract and reductionist
character. However, abstraction and incongruence between risk maps and more
specific risk representations did not mean that risk maps were decoupled from all
project activities. On the contrary, they impacted attention and decision-making
heavily in the course of the project. Risk maps thus did not merely get used as
reporting devices and audit trails. They were implicated in setting the agenda and
structuring discussions, particularly within inter-organizational reviews. Risk
objects that were not presented on the map thus got less attention in these meetings.
Secondly, although several actors criticized abstraction, simplicity, path dependence
and pseudo-control involved in the use of risk maps, they were nonetheless
characterized by nearly all project members as important and relevant technology of
project collaboration. Project members thus did not dismiss such reports as ‘just’
bureaucratic activity. Power (2007) explains “continuing co-existence of local
critique and world-level conformity” (ibid.: 195, emphasis in the original) by the
pervasiveness of neo-liberal political discourses of auditability and isomorphic
pressures for reputation management. However, in our case risk maps were heavily
implicated in actual project activities, and project members’ attitude towards risk
maps was ambiguous in that they criticized them at the same time as they regarded
them as valuable tools for project coordination. The powerful position of risk maps
in this context therefore cannot be fully explained by institutional pressures brought
about by both internal and external rules and regulations and the perceived need for
defensive production of audit trails. The different ways of how risk maps got
enacted in the project indicate that risk mapping was not just a matter of compliance
and insurance. Rather, we have argued that risk maps became involved in the
creation of project identity and commitment and were enrolled as a political
instrument of setting boundaries of what gets associated with the project and what
33
gets defined as being situated outside the project’s realms. We therefore draw on
the concept of mediation (Cooren and Taylor, 1997; Miller and O’Leary, 2007;
Wise, 1988) to complement existing explanations of the pervasiveness of ERM
technologies such as risk maps.
Risk maps as mediating figures
Extant studies on intermediaries or ‘mediating instruments’ have shown how
representational devices and ‘texts’ such as technology road maps (Miller and
O’Leary, 2007) and business plans (Doganova and Eyquem-Renault, 2009) mediate
between different actors and between different domains (e.g., science and the
economy), and thereby contribute to the making of macro-agents such as markets
and organizations (Cooren and Taylor, 1997). Such mediation is often based on the
envisionment of a future of a collective, an organization, a project or an industry, by
means of a plan or a model which distributed actors can draw upon in order to
allocate resources and plan local activities related to the delineated future. Although
actors might not fully trust the representational and prognostic qualities of such
devices, they often find them still useful to communicate, and plan and structure
activities in reference to these artifacts. For instance, Young (1995) observed that
psychiatrists increasingly used the DSM-III (Diagnostical and Statistical Manual of
Mental Disorders, 3rd ed.) language to communicate with each other and their
accounting departments, although they frequently didn’t believe in the categories
they were using. In the studied upgrading project, the project risk map acted
similarly as a mediating figure in the sense that distributed actors could refer to the
map as a relatively stable artifact making up the identity of ‘the project’. The risk
map appeared to be a major device for prompting a sense of alignment in the
project, by means of a co-orientation of actors towards the text (Taylor, 2011;
Taylor and Robichaud, 2004), representing and at the same time furthering
commitment to the joint project. Similar to Young’s (1995) observation, this was
less due to a ‘blind’ belief in the trustworthiness and completeness of the reported
information. Rather, the map allows the project to jointly go ahead, as it offers a
point of common identification. Even though the represented risks can threaten the
project which suggests a negative connotation, their appearance on the map seems
to be positively connoted, as they are under managerial investigation, conveying
confidence that something is done about them. Identification with the project by
34
means of the risk map is also achieved by the expected and often performed
movement of the risks in the course of the projects towards the green and amber
zones of normality and acceptability. The risk map, therefore, envisions a future
that gets more and more certain as the project goes ahead and thereby enrolls
different actors to the project. Its twin prognostic and evaluative connotations
further not only the envisionment of the project’s future, but also a sense of
common achievement. Such positive connotation, we argue, works even though
actors are partly aware of the representational limitations and ‘risks’ of the map. It
is discursively enhanced by flexible zones of normality that enable actors to
conduct normalizing activities, deciding on what is inside and outside of the map
and adjusting borders between tolerable and intolerable risks, themselves (Link,
1996) so as to allow the project to progress. In addition, the map invites
identification with the project as well in that it symbolizes efficiency. In our case,
the use of the same map for different plants and the attempt to use the same map
across different projects within the ‘project portfolio’ made ‘synergies’ visible that
could hardly be operationalized otherwise. Simplifications that were regarded from
one point of view as problematic, were thus from another point of view useful in
order to enact a rhetoric of synergy and efficiency. Furthermore, risk maps were
drawn upon in the project as mediating devices to manage boundaries of the project
and between involved actor groups. Such boundaries concerned areas of attention,
responsibility and resource allocation and the risk map offered a platform for their
negotiation. The map is well suited for such boundary work, as its dimensions of
probability and impact are generic enough to incorporate diverse types of content
and concerns. Along with such openness to include a wide range of risk objects, its
twin prognostic and evaluative connotation more generally invite different areas of
expertise to be associated to the map, such as risk management, project
coordination and performance evaluation.
To be sure, risk maps might work in other contexts in different ways than those we
have observed in this project. It is, we believe, the combination of a regulative
context that furthers the use of commonly accepted risk representation technology
within the broader context of discourses of auditability and responsibilization
(Power, 2007), and the particular setting of temporal, inter-organizational project
collaborations, that constitutes an arena in which technologies such as risk maps get
35
enrolled as mediating devices between different actors and concerns in the creation
of a collective identity of the joint project.
In conclusion, our analysis shows that overview risk representation technologies
such as risk maps which are commonly used as ERM technology can come to be
seen as ‘useful’ in other ways than as tools for increasing collective mindfulness
towards early warning signals or for ritualistic purposes of secondary risk
management (Mikes, 2009; 2011; Power, 2007). While defensive production of
audit trails was present in our case, the risk map got enrolled as well in the creation
of the project’s identity (Taylor, 2011) and as a platform for mediating concerns
between different actors groups in an inter-organizational setting. As such, we have
shown how the governance of risk is related to mediating technologies. Risk maps
can work as powerful mediating instruments in inter-organizational practices, at the
same time as they are ‘risky’ tools when it comes to creation of mindful awareness
and scrutiny. More research is required to better understand these and similar
tensions in the use of risk maps and associated tools such as risk registers and risk
indicators in different contexts. Often, risk maps appear in the form of ‘riskopportunity’ maps. To map opportunities along with risks is in line with the logic of
enterprise risk management and with the logic of progress outlined in this paper. As
yet, we do not know what particular challenges are linked to ‘opportunity-risk’
management and how the inclusion of ‘opportunities’ affects the constitution of risk
objects and risk management practices.
We have highlighted in this paper some discursive characteristics of risk maps and
discussed their link to different types of observed uses of these maps. For a better
understanding of the historical and institutional grounding of these characteristics, it
would be fruitful to investigate the origins of risk mapping and trace how risk maps
came to be institutionalised as an ERM technology. Finally, future research on
ERM technologies and practices could focus more on the use of such practices in
networks of organizations rather than discrete organizational entities. In this paper,
we have only begun to look at some specifics of inter-organizational coordination
by means of ERM technologies. More research is needed to understand how risk
representation and other technologies of inter-organizational coordination interact
and what effects their uses entail.
36
37
References
Arena, M., Arnaboldi, M., Azzone, G., 2010. The organizational dynamics of
Enterprise Risk Management. Accounting, Organizations and Society. 35,
659-675..
Beck, U., 1992. Risk society: Towards a new modernity, Thousand Oaks, CA:
Sage.
Beunza, D., Garud, R., 2007. Calculators, lemmings or frame-makers? The
intermediary role of securities analysts, in Callon, M., Millo, Y., & Muniesa,
F. (Eds.), Market Devices, Oxford: Blackwell, pp.13-39.
Bowker, G.C., Star, S.L., 2000. Invisible Mediators of Action: Classification and
the Ubiquity of Standards. Mind, Culture, and Activity. 7(1&2), 147-163.
Bourrier, M., 2005. An interview with Karlene Roberts. European Management
Journal. 23(1), 93-97.
Bragd, A., Christensen, D., Czarniawska, B., Tullberg, M., 2008. Discourse as the
means of community creation. Scandinavian Journal of Management. 24,
188-208.
Braut, G.S., Lindoe, P.H. 2010. Risk Regulation in the North Sea. A Common Law
Perspective on Norwegian Legislation. Safety Science Monitor. 14(1), 1-9.
Callon, M., 1986. Some elements of a sociology of translation: domestication of the
Scallops and Fishermen of St. Brieuc Bay. In: J. Law (Ed.), Power, Action
and Belief: A New Sociology of Knowledge?, London: Routledge, pp. 196223..
Callon, M., 1991. Techno-economic networks and irreversibility. In J. Law (Ed.), A
sociology of monsters: Essays on power, technology and domination.
London: Routledge.
Callon, M., 1998. Introduction: the embeddedness of economic markets in
economics. In: Callon, M. (Ed.), Laws of the Market, Oxford: Blackwell.
pp. 1-57.
Callon, M., Millo, Y., Muniesa, F., 2007. Market Devices. Oxford: Blackwell.
Cooren, F., 2004. Textual Agency: How Texts Do Things in Organizational
Settings. Organization. 11(3), 373-393.
Cooren, F., Kuhn, T., Cornelissen, J.P., Clark, T., 2011. Communication,
Organizing and Organization: An Overview and Introduction to the Special
Issue. Organization Studies, 32(9), 1149-1170.
Cooren, F., Taylor, J.R., 1997. Organization as an Effect of Mediation: Redefining
the Link Between Organization and Communication. Communication
Theory. 7(3), 219-260.
Czarniawska, B., 2007. Shadowing and other techniques for doing field research in
modern societies, Copenhagen Business School Press.
Doganova, L., Eyquem-Renault, M., 2009. What do business models do?
Innovation devices in technology entrepreneurship. Research Policy, 38,
1559-1570.
Douglas, M., 1985. Risk acceptability according to the social sciences, New York:
Russel Sage Foundation.
Douglas, M., 1992. Risk and blame: Essays in cultural theory, London: Routlege.
Espeland, W.N., & Stevens, M.L., 1998. Commensuration as a social process.
Annual Review of Sociology. 24, 313-343.
38
Ezzamel, M., Lilley, S., Willmott, H., 2004. Accounting representation and the road
to commercial salvation. Accounting, Organizations & Society. 29, 783813.
Gephart, R. P., Van Maanen, J., Oberlechner, T., 2009. Organizations and Risk in
Late Modernity. Organization Studies. 30(02&03), 141-155.
Gibson, J.J., 1979. The Ecological Approach to Visual Perception. Bosten, MA:
Houghton Mifflin.
Giddens, A., 1991. Modernity and self-identity. Cambridge: Polity Press.
Hardy, C., Lawrence, T.B., Grant, D., 2005. Discourse and Collaboration: The Role
of Conversations and Collective Identity. Academy of Management Review.
30(1), 58-77.
Hopwood, A., 1992. Accounting calculation and the shifting sphere of the
economic. European Accounting Review. 1(1), 125-143.
Kalthoff, H., 2005. Practices of Calculation. Economic Representations and Risk
Management. Theory, Culture & Society. 22(2), 69-97.
Kaplan, S., 2011. Strategy and PowerPoint: An Inquiry into the Epistemic Culture
and Machinery of Strategy Making. Organization Science. 22(2), 320-346.
Kurunmäki, L., Miller, P., 2011. Regulatory hybrids: Partnerships, budgeting and
modernising government. Management Accounting Research. 22, 220-241.
Latour, B., 1987. Science in Action: How to Follow Scientists and Engineers
Through Society. Boston. Harvard University Press.
Latour, B., 1994. On technical mediation-Philosophy, sociology, genealogy.
Common Knowledge. 3(2), 29-64.
Latour, B., 1996. On Interobjectivity. Mind, Culture, and Activity. 3(4), 228-245.
Latour, B., 2005. Reassembling the social. Oxford: Oxford University Press.
Law, J., 1986. On the methods of long distance control: Vessels, navigation and the
Portugese route to India. In J. Law (Ed.) Power, action and belief: A new
sociology of knowledge? Sociological review monograph. (Vol. 32, pp. 234263). London: Routledge & Kegan Paul.
Link, J., 1996. Versuch über den Normalismus. Wie Normalität produziert wird.
Göttingen: Vandenhoeck & Ruprecht.
Lupton, D., 1999. Risk. London: Routledge.
MacKenzie, D., Millo, Y., 2003. Constructing a market, performing theory: the
historical sociology of a financial derivatives exchange. American Journal
of Sociology. 109(1), 107-145.
Mikes, A., 2009. Risk management and calculative cultures. Management
Accounting Research, 20(1), 18-40.
Mikes, A., 2011. From counting risk to making risk count: Boundary-work in risk
management. Accounting, Organizations and Society. in press.
Miller, P., O’Leary, T., 1987. Accounting and the construction of the governable
person. Accounting, Organizations & Society. 12(3), 235-265.
Miller, P., O’Leary, T., 2007. Mediating instruments and making markets: capital
budgeting, science and the economy. Accounting, Organizations & Society.
32(7/8), 701-734.
Miller, P., Kurunmäki, L., O’Leary, T., 2008. Accounting, hybrids and the
management of risk. Accounting, Organizations and Society. 33(7-8), 942967.
Miller, P., Rose, N., 1990. Governing economic life. Economy and Society. 19(1),
1-30.
39
Miller, P., Rose, N., 1992. Political power beyond the state: Problematics of
government. British Journal of Sociology. 23, 173-205.
Muniesa, F., Millo, Y., Callon, M., 2007. An introduction to market devices. In:
Muniesa, F., Millo, Y., & Callon, M. (Eds.), Market Devices Oxford:
Blackwell Publishing. (pp.1-12).
Orlikowski, W. J., 2000. Using Technology and Constituting Structures: A Practice
Lens for Studying Technology in Organizations. Organization Science,
11(4), 404-428.
Petroleum Safety Authority Norway: From prescription to performance in
petroleum
supervision
(published
12.03.2010),
derived
from
http://www.ptil.no/news/from-prescription-to-performance-in-petroleumsupervision-article6696-79.html, accessed on 15.12 2010)
Power, M., 2004. The Risk Management of Everything. Rethinking the politics of
uncertainty. London: Demos.
Power, M., 2007. Organized uncertainty: designing a world of risk management.
Oxford: Oxford University Press.
Power, M., 2009. The risk management of nothing. Accounting, Organizations and
Society. 34(6/7), 849-855.
Power, M., Scheytt, T., Soin, K., Sahlin, K. 2009. Reputational Risk as a Logic of
Organizing in Late Modernity. Organization Studies. 30(02&03), 301-324.
Quattrone, P., 2009. Books to be practiced: Memory, the power of the visual, and
the success of accounting. Accounting, Organization & Society. 34, 85-118.
Qu, S.Q., Cooper, D.J., 2011. The role of inscriptions in producing a balanced
scorecard. Accounting, Organizations & Society. 36, 344-362.
Renn, O., 2008. Risk Governance. Coping with Uncertainty in a Complex World.
London: Earthscan.
Robson, K., 1992. Accounting numbers as „Inscription“: Action at a distance and
the development of accounting. Accounting, Organization & Society. 17(7),
685-708.
Schneider, B., 2005. Diagramme und bildtextile Ordnungen. In B. Schneider (Eds.),
Bilderwelten des Wissens. Kunsthistorisches Jahrbuch für Bildkritik. Berlin:
Akademie-Verlag. Volume 3,1. pp. 9-19
Stark, D., Paravel, V., 2008. PowerPoint in public: digital technologies and the new
morphology of demonstration. Theory, Culture & Society. 25(5), 30-55.
Taylor, J.R., 2011. Organization as an (Imbricated) Configuring of Transactions.
Organization Studies. 32(9), 1149-1170.
Taylor, J.R., Cooren, F., 1997. What makes communication ’organizational’? How
the many voices of a collectivity become the one voice of an organization.
Journal of Pragmatics. 27, 409-438.
Taylor, J.R., Robichaud, D., 2004. Finding the Organization in the Communication:
Discourse as Action and Sensemaking. Organization. 11(3), 395-413.
Turner, B, Pigeon, N., 1997. Man-Made Disasters (second edition). London:
Butterworth-Heinemann.
Vlaar, P.W.L., Van den Bosch, F.A.J., Voberda, H.W., 2006. Coping with Problems
of Understanding in Interorganizational Relationships: Using Formalization
as a Means to Make Sense. Organization Studies. 27(11), 1617-1638.
Weick, K. E., 1987. Organizational Culture as a Source of High Reliability.
California Management Review. 29(2), 112-127.
Weick, K. E., & Sutcliffe, K., 2001. Managing the Unexpected. Assuring High
Performance in an Age of Complexity. San Francisco: Jossey-Bass.
40
Weick, K. E., Sutcliffe, K., Obstfeld, D., 1999. Organizing for high reliability:
Processes of collective mindfulness. Research in Organizational Behavior.
21, 81-123.
Wise, M.N., 1988. Mediating machines. Science in Context. 2(1), 77-113.
Woods, M., 2009. A contingency theory perspective on the risk management
control system within Birmingham City Council. Management Accounting
Research. 20(1), 69-81.
Yakura, E.K., 2002. Charting Time: Timelines as Temporal Boundary Objects.
Academy of Management Journal. 45(5), 956-970.
Young, A., 1995. The harmony of illusions: Inventing post-traumatic stress
disorder. Princeton, NJ: Princeton University Press.
41
Appendices
Appendix A: Impact categories for different risk objects on a ‘Consequence
Matrix’ (TSP intranet, D-TSP-PIMS-1)
42