What is the nature of regulatory processes in a post ‘command and control’
world? It has long been recognized in many diVerent countries that the various agencies and departments of the state have neither the resources nor the expertise to regulate directly in a commanding and controlling style in many areas of social and economic life. Indeed, the ‘command and control’
model was always more aspirational than descriptive as scholarship in socio-legal studies has demonstrated (Baldwin and Cave, 1999: chapter 4). For example, against the ‘legalistic illusion’ which assumes that regulatory processes follow their prescribed blueprints, empirical investigations have revealed the negotiated and variable nature of compliance (Hutter, 1998;
Hawkins, 2003). The necessity for regulatory strategies which work with, and draw on, the resources of regulated organizations has been transformed from the street-level pragmatism of front line inspectors into principles for regulatory design. In addition, associations like the ICAEW which sponsored the Cadbury Code, and non-governmental organizations of various kinds, have long been recognized as signiWcant in the production of social order and norms of governance (e.g., Streeck and Schmitter, 1985). Indeed, there has been an increase in scholarly and practical interest in the range of non-state organizations which contribute to regulatory outcomes and which are involved in prescribing governance norms and rules to govern the conduct of organizations, not least insurers.3
36 / Organized Uncertainty
Analytical concepts have been developed to represent a complex regula-tory landscape. Ayres and Braithwaite’s (1992) concept of ‘enforced self-regulation’ characterizes the potentially cooperative relationship between regulator and regulated (Baldwin and Cave, 1999: 133–6). As a normative blueprint abstracted from practice, the concept suggests that, in the Wrst instance, a regulatory organization should prefer a cooperative style, prescribe principles, permit organizations to develop and enforce their own detailed rules, and periodically inspect. In cases of breach or dissatisfaction, the regulatory body has, or should have, options to escalate its enforcement process with ever more serious consequences for the regulated organization.
The analysis lends itself easily to the tools of game theory. State regulatory agencies should work with a tit-for-tat strategy, to trust Wrst, to distrust and sanction when trust is violated and Wnally, if the game is extended, to forgive and trust again. The theory is that this regulatory model generates consider-able self-regulation and ‘natural’ compliance by the regulated organization.
Many regulatory systems are linked to licensing privileges where a license to trade or conduct an activity is conditional on compliance with formal or procedural norms (such as having ‘eVective’ internal controls). The sanction of withdrawing a licence is usually a last resort and the outcome of extensive prior negotiation. The ‘enforced-self regulation’ model therefore reXects a regulatory preference for indirect action and inXuence by prescribing frame-works and principles and by enrolling self-regulating resources, in particular the management system of internal controls. Organizations have an incen-tive for compliance because the regulatory process may focus on desired outcomes rather than regulating detailed process, with regulatory interven-tion as a last resort. In the UK, the Financial Services Authority has recently sought to regulate in some areas via high level principles.4
The ‘enforced self-regulation’ model is not the only theoretical and normative possibility. It is part of a family of related concepts of ‘mutual regulation’, ‘de-centered regulation’, ‘smart regulation’, and ‘soft law’. All these approaches add nuance to the basic idea: the key elements of regula-tion, namely the production and enforcement of norms may, and should, be dispersed across many diVerent actors (Gunningham and Grabosky, 1998;
Black, 2001). It is broadly accepted that regulatory systems can make a virtue of this necessity by combining the beneWts and authority associated with the ability to enforce sanctions with the beneWts of cooperation. In this manner, the more traditional deterrence model of regulation comes to be embedded The Rise of Internal Control / 37
within a larger strategy which relies heavily on cooperation and self-regulation (Reiss, 1984; Hutter, 1997: 238–243; Parker, 2002).5 This reXects a broad shift in regulatory preference from ex post discovery of norm violation to ex ante anticipation, and to prevention and self-discovery via internal systems of compliance which secure organizational conformity.6
This accent on self-enforced compliance as a preventative strategy is the heart of what has come to be called risk-based regulation (to be discussed further in Chapter 3). In essence both regulators and regulated observe propensities for non-compliance with desired norms of behaviour. Self-discovery and reporting by the regulated entity is an ideal. This mode of regulatory control is exempliWed by the growth of programmes which develop performance standards for compliance in technical terms (Parker, 2000). The ideal is that potential for Wrst order failure and deviance, such as fraud, is signalled in the Wrst instance by ‘technical failure’ or ‘near miss’, typically signals of control system design weakness or operational deviance. It is argued that such compliance based strategies encourage organizational learning and responsibility (Hutter, 1997; Parker, 2002), thus positioning internal control as a ‘moral technology’ at the heart of governance. Perhaps nowhere is this more evident than in eVorts in the Wnancial services sector to incentivize and embed self-regulation.
In the United Kingdom in the 1990s, the Securities and Investments Board (SIB), the predecessor of the Financial Services Authority, explored ways of rewarding Wnancial Wrms that establish good controls and eVective internal auditing procedures. In a similar vein, prior to the changes in the institu-tional structure of Wnancial services regulation in 1997, the Bank of England adopted a ‘quality assurance’ based approach to supervision to ensure that regulations are being applied.7 This subsequently developed into an explicitly risk-based approach to supervision, following advice from Arthur Andersen, known as RATE (Bank of England, 1997a; Black, 2003a). The Bank of England approach emphasized the common interests of management and supervisor.
The intensity of external supervision and of audit could be varied depending on the control culture in the target bank (Bank of England, 1997b). The FSA inherited and developed this approach further (to be discussed in Chapter 3), making the quality of internal controls a core principle (Gray and Hamilton, 2006: chapter 3).
More generally, regulatory design increasingly embodies an aspiration for a style of regulation which operates with the incentives of organizations 38 / Organized Uncertainty
(Braithwaite and Makkai, 1994; Goodhart et al., 1997) and which places the operational substance of control within organizations themselves, with a corresponding ‘responsibilization’ of senior management (Gray and Hamil-ton, 2006: chapter 4). Within this cooperatively constructed baseline model for regulation, the degree of external audit in principle becomes part of the
‘ladder of response’, an escalatory option available to the regulator, rather than an ongoing standardized Wxed-period statutory requirement.8 The Audit Commission in the UK public sector traded intensity of inspection based on evidence of good governance (Bowerman et al., 2000) and evidence of good environmental management systems, as prescribed by frameworks such as EMAS or ISO 14000, can form the basis of ‘smart’ deals with regulators about intensity of inspection (Aalders, 1993; Gunningham and Grabosky, 1998) and with insurers about the costs of cover.
Borrowing from Shapiro (1987) it can be argued that these changes in regulatory philosophy, and the emphasis on modes of self-regulation and control systems, has much to do with the rise of ‘trust’ as an organizing principle in modern societies. Despite suggestions that modern societies are often characterized as being less trusting, the growth of agency relationships, whereby agents are entrusted with custody and discretion over the manage-ment of the assets of other people, suggests the necessity of trust between strangers remote from each other in space and time who must rely on the representations of the other. Actors may work hard to personalize and re-embed economic relationships, but this is a costly activity and impersonal trust, supported by systems trust (Giddens, 1990), is a both an inevitability and a part of the logic of opportunity. The rise of these trust-based relation-ships in modern life drives a demand for new guardians of trust who can explicitly balance the incentives for principals to take risks with those of agents to engage in deviant behaviour. These guardians are typically, but not exclusively, regulatory and inspection organizations which focus on the conditions of trust inside organizations.9 Accordingly, internal control systems and related public disclosures, such as Wnancial statements, have been transformed into the material representation or proxy for trusting organizations and their leaders. Internal control systems have become central to a ‘regulatory epistemology’ in which demands for trust create corresponding demands for evidence.
Within regulatory scholarship there is a diVerence between an emphasis on internal control systems which values their technical properties in The Rise of Internal Control / 39
enabling more eYcient coordination, and an emphasis which regards them as the basis for more substantive improvement of, for example, health, safety, environment, investor protection.10 Internal control systems embody both potentials—of greater eYciency and coordination on the one hand, and of greater sensitivity to social responsibility issues on the other. This is the sense in which such systems are ‘moral technologies’; in their expanded role and conception they embody and intertwine the two logics of management and democracy which Drori (2006) identiWes within the concept of govern-ance. We might be sceptical about the managerialization of CSR by such systems in particular cases e.g. the observed variability of the role of EMAS in contributing to environmental protection, and of Wrms’ commitments to environmental compliance (Gunningham et al., 2003). However, the general mobilization of management control as a regulatory resource has been animated by a rationalized vision of its responsibilizing and ethical potential in making the inner life of organizations observable.
Supervisory capacity in the broadest sense, including that of external auditors, to detect Wrst order violations, such as fraud, is limited and often not timely. The more easily detectable violation is the breaking of organiza-tional trust and this leads to a regulatory preference for preventative regulatory strategies which focus on systems designed to make key trust variables visible. In place of direct surveillance, an impossible pure transpar-ency, the regulatory process ‘observes’ in the Wrst instance the conditions under which trust is supported, that is, the norms of behaviour to which organizational agents are held to account by their own managerial commitment to self-regulation. This is meta-regulation or the regulation of self-regulation (Parker, 2002: chapter 9) and it amounts to a profound turning ‘inside out’ of organizational life. The distinction between internal self-governance and external regulatory process is increasingly blurred and technical features of internal control systems are bearers of trust values. As a consequence of these developments, the normative climate of organizations, variously characterized as the ‘tone at the top’, ‘organizational culture’, or
‘control environment’ has become a signiWcant focus of regulatory attention via its auditable proxies—internal control routines, checks, and structures.
Internal control has become central to the rise of a ‘regulatory state’
which is broader than the growth of agencies and encompasses control departments and units within organizations, including the risk management function. Internal control has become part of a new governmentality of 40 / Organized Uncertainty
organization life in which traditional distinctions between mandated and voluntary regulation are blurred. For example, since its creation in 1992, principles of corporate governance in the UK have changed formal status from a so-called voluntary, private regulatory system, to a public one required by listing rules. UK companies are now required to state whether they comply with the principles and must ‘explain’ if they do not. Formally, non-compliance with the principles is possible provided the organization explains itself, thus being compliant in a second order sense. This ‘comply or explain’ principle typiWes a regulatory emphasis on combining the Xex-ibility with informative disclosures. However, the signiWcance of the Code approach lies much less in its formal status as either a voluntary or manda-tory set of norms. Indeed, this distinction, although important in law, is largely unhelpful in characterizing the sense in which the principles of corporate governance across the world have marked out the inside of organizations as a kind of regulatory and disciplinary space (Hancher and Moran, 1989). These principles are experienced as binding regardless of their source. The family of neoliberal regulatory strategies described above draw our attention to the many sources of control, discipline, and normative order beyond the state (Rose and Miller, 1992). This means that the ‘regu-latory state’ is much more than a system of semi-autonomous agencies; it is also a distinctive mode of self-observation and self-discipline for organiza-tions, a reXexive mode of regulation mediated in part by dedicated oYcer-ships (see Chapter 3). Internal control systems in their broadest sense play a critical role in neoliberal regulatory regimes which operate indirectly via the
‘control of control’.
As the distinction between mandated and voluntary norms is blurred, so too is that between managerial and regulatory process itself. Such an elision provides a platform for a new logic of opportunity and enterprise in organizational Welds by which control activities can be imagined both to be
‘compliant’ and to facilitate core business processes in an organization. This neoliberal compliance ideal anticipates a potential where the traditional
‘problem of compliance’ no longer exists because regulatory and business goals are perfectly aligned. That this ideal is not an empirical reality, and principal-agent models reminds us that it is not aligned with theory either, should not detract from its broad discursive status as an aspiration or telos of regulation. Internal control systems have been placed within a new web of concepts and categories and can now be envisioned as the critical interface The Rise of Internal Control / 41
between regulatory and business values, and hence between society and organizational operations.11 In short, internal control systems make possible the displacement of government by governance as an emphasis on the internal conditions and benchmarks of organizational trustworthiness. Internal control systems are at the heart of a process by which organizations are being turned inside out and made into newly responsible actors.
In summary, the regulatory environment of organizations in many diVerent policy areas has taken a ‘managerial turn’ with an increased emphasis on systems of control, senior management responsibility and ‘naturally’ enforced cultures of compliance. Corporate governance changes in the early 1990s catalysed the role of internal control systems as important objects of public policy. Formal regulatory bodies like the UK FSA can be conceptualized increasingly as meta-regulators observing the self-regulation of organizations, an approach which represents a radical internalization of regulatory activity and where the distinction between organizing (managing) and regulating is increasingly blurred. However, this regulatory convergence on, and demand for, eVective internal control and management systems is not a suYcient condition for the rise of internal control. There must also be a supply of ideas, knowledge, and templates with a corresponding body of carriers. For this we must look, at least in part, at recent transformations in the Weld of Wnancial auditing.