17
to be perceived as objectively real. However,
all risks are socially constructed. As Ewald (1991)
says, 'Nothing is a risk in itself: there is no risk
in reality. But on the other hand, anything can
be a risk; it all depends on how one analyses
the danger, considers the event' (p. 199). A risk
becomes objectively real once it is inscribed on
the risk register. This inscription functions to
create the relational element connecting the
object to a putative harm. Clearly, this is not a
neutral act. How risk is carved up determines
accountabilities (Hilgartner, 1992).
RAG-rating turned out to be a very potent
technology, and indeed, on several occasions
it was used as a verb, as in 'can we get that
RAG-ged please?' Like all technologies, its
usefulness lies in converting a major effort into a
minor one - but like all technologies, this has a
powerful shaping effect on the conceptualisation
of risk and risk management. In this case, as
technology, RAG-rating encourages discussion
to focus on colour rather than the substance
of the risk. We witnessed many discussions
in which this occurred with the aim of risk
management being to change a colour from
red to amber or amber to green. However, it
was sometimes acknowledged that this was not
necessarily a good thing. For example, IT security
was frequently rated red by governing boards,
yet to reduce this to green was considered to
'smack of complacency'. This indicates that risk
management is also a 'political' or 'strategic'
device, and part of the management of
external impressions.
4.3��Setting�the�risk�culture:�'Tone�at�
the�top'
Common to governance codes is the requirement
that the board be concerned with setting the risk
culture of the organisation (commonly referred to
as the 'tone at the top'). Risk culture is a rather
ill-defined notion but may be said to encompass
(Lipton et al., 2019):
• commitment to risk oversight of
the organisation,
• ethical/moral concerns,
• accountability/compliance with external
requirements.
Commitment to risk oversight
Setting the tone at the top involves the
competent performance of risk management.
We saw in our observations how risk was
collectively performed as a rational endeavour,
by the board and management together. Risk
management is designed to mitigate risk and
hence bring 'comfort'. While the aim of risk
management was to provide reassurance to the
board, this always had to be balanced against
the danger of being complacent.
Ethical/moral concerns
How risks are carved up is never neutral hence
risk concerns ethical judgements. Colleges
adopted different ways of doing this. We
saw in one college, for example, where they
were reorganising the risk register, how the
construction of the risk category 'People'
triggered a discussion around staff as objects of
risk from the college, which resulted in a new
risk being identified that focused on failure to
provide an environment supporting the wellbeing
of staff and students. However, staff may also be
seen as risks to the organisation which justifies
increased surveillance.
Accountability/compliance with
external requirements
Tone at the top was also enacted through
compliance with external requirements and
accountability. In one college we saw how this
compliance was enacted by the allocation of
risk ratings (red, amber, green) to the 100+
statements of good governance contained within
their respective code of good governance. In this
way, through the practices of risk management,
the governing body itself becomes an object of
risk. Another college board had constructed a
risk matrix of its own activities in which one risk,
'Failure to follow procedures to ensure good
governance', was rated red and remained so
even after mitigation.