A decade after the introduction of the ‘Principles’ for the management of operational risk, the Basel Committee on Banking Supervision found that banks have made insufficient progress in implementing the principles, first introduced in 2003 and revised in 2011 (BIS, 2014). This is a particularly alarming fact given that operational risk failures are said to have played a significant part in the recent financial crises and despite increasing regulatory efforts to control risk, high profile failures continue unabated. These failures draw increasing regulatory attention, which further promotes formal policy development, increased confidence in risk management as a science, as well as an increased intolerance for failure. These failures indicate that there may be evidence of decoupling between formal policy and daily practices in banks leading to unrealized intended outcomes (Bromley & Powell, 2012).
In this paper I examine why risk regulation as a form of formal policy is not producing intended outcomes such as those expressed by the Basel Committee, despite clear evidence that banks at a formal level show a high level of compliance with regulatory demands. The paper draws on empirical evidence gathered from over twenty-five interviews with senior risk and business managers from different levels of a large European AMA approved bank over a two-year period, to explore this apparent misalignment between formal policy and intended outcomes. I argue that given the nature of the current regulatory model, intended outcomes beyond the implementation of regulatory prescribed frameworks, processes and tools, only become known retrospectively, ‘postdict’, as ideas are transformed into practices that are actionable (Brunsson, 1993).
The findings show that turning regulatory ideas into actions which may become integrated into the daily practices of banks is an experimental and evolutionary process, exposed to a multiplicity of factors at different levels of the organization, for example; organizational structure and cultural attitudes towards risk, diversion of time and resources, perceived utility of risk processes, tools and controls, as well as the degree of consistency between regulatory and organizational goals over time. By recognizing the limitations of the prediction – postdiction model of risk management, we can reassess societal expectations of regulatory policy, starting by acknowledging that the implementation of processes, tools and technologies are a ‘means’ of achieving intended outcomes of formal policy and not an ‘ends’ in themselves.
European Network for Research in Organisational & Accounting Change (ENROAC)