BEHAVIORAL RESEARCH IN ACCOUNTING American Accounting Association
Vol. 33, No. 1 DOI: 10.2308/BRIA-18-016
Fall 2021
pp. 1–20
Making Sense of Risk Management as a (Dis)Comfort-
Inducing Practice
Yves Gendron
Universite´ Laval
Anna Samsonova-Taddei
HEC Montre´al
Henri Gue´nin
Universite´ Laval
ABSTRACT: This study aims to enhance our understanding of the practice of risk management, and specifically how
corporate boards fulfill their responsibilities regarding risk oversight. We draw on a theoretical perspective centered
on (dis)comfort and 25 interviews with corporate board members and risk management consultants in Canada to
present a view of risk management as a set of activities characterized by tension between actions that engender the
feeling of discomfort, and a quest for comfort and reassurance. Our findings provide insights that show how,
alongside the functionalist underpinnings, comfort-seeking represents a pervasive imperative that profoundly shapes
risk management in action.
Keywords: risk management; boards of directors; consultants; corporate governance; comfort.
I. INTRODUCTION
R
isk management practices have sparked significant interest among accounting scholars in recent years (Spira and Page
2003; Power 2004; Hall, Mikes, and Millo 2015; Gendron, Brivot, and Gue´nin-Paracini 2016; Laguecir and Leca
2019; Tekathen 2019; Tekathen and Dechow 2020). This growing body of literature explores a variety of topics,
including how risk-mitigating technologies are institutionalized and framed in ways that promote their wider acceptance
(Brivot, Himick, and Martinez 2017; Hayne and Free 2014), and how they are translated into different contexts, depending on
an organization’s calculative culture (Mikes 2009, 2011) and prevailing risk attitudes (Arena, Arnaboldi, and Azzone 2010;
Arena, Arnaboldi, and Palermo 2017). Studies have shown, in this regard, how risk management systems may produce hybrid
practices that lead to new forms of manageability (Miller, Kurunma¨ki, and O’Leary 2008), result in conflicting approaches
competing for authority (Fischer and Ferlie 2013), or even generate unexpected effects such as increased uncertainty (Vinnari
and Skærbæk 2014). Other works have focused on particular risk management tools, such as a study by Jordan, Jørgensen, and
Mitterhofer (2013) of how heat maps may act as platforms for mediating diverse stakeholder interests (see also Jørgensen and
Jordan 2016). However, despite this growing literature, risk management practices in the context of corporate boards remain
scarcely explored, with scholars calling for more research to understand ‘‘the intervening processes and behaviors that boards
engage in to carry out their [risk management] duties’’ (Slagmulder 2017, 181). The present study aims to respond to this call
We thank board members, consultants, and other professionals who participated in the interviews for this study. We benefited from the comments made by
Steven E. Salterio (editor), two reviewers, participants at the 2018 Alternative Accounts Conference (HEC Montre´al), and by workshop participants at the
University of Tampere (Finland) and University of Turku (Finland). We gratefully acknowledge the financial support of the Social Sciences and
Humanities Research Council of Canada.
Yves Gendron, Universite´ Laval, Faculte´ des sciences de l’administration, E´cole de comptabilite´, Que´bec City, Canada; Anna Samsonova-Taddei, HEC
Montre´al, Department of Accounting, Montre´al, Canada; Henri Gue´nin, Universite´ Laval, Faculte´ des sciences de l’administration, E´cole de comptabilite´,
Que´bec City, Canada.
Editor’s note: Accepted by Steven E. Salterio.
Submitted: March 2018
Accepted: August 2020
Published Online: September 2020
1
by examining how risk management is experienced and performed within corporate boards and how boards accordingly fulfill
their responsibilities in relation to risk oversight.
Prior literature has placed a primary focus on the operationalization of risk management, often implicitly linking its
purpose to the logic of organizational efficiency and/or risk minimization and prevention (see also Woods and Linsley 2017).
Yet, as noted by Themsen and Skærbæk (2018), we fundamentally lack a more holistic understanding of what motivates
processes of identifying and incorporating risk into organizational risk management templates, and how meanings that develop
around risk management may extend beyond purely functionalist rationales (see also, Jordan, Mitterhofer, and Jørgensen
2018).1 In this respect, relevant studies of nursing, law, and auditing have recognized comfort and providing reassurance as
important cognitive referents that influence how these professional practices are carried out (Pentland 1993; Fareed 1994;
Carrington and Catasu´s 2007; Sarens, De Beelde, and Everaert 2009), especially when the outcomes of such practices are
ambiguous. Power (1997), for example, conceptualized auditing as a practice with uncertain outcomes—it may be years after
the issuance of an audit report that the public learns the audit was a failure. He further argued that much of the work
surrounding auditing centers on ensuring the appropriateness of processes aimed at controlling audit risk, since professions
whose outcomes are nebulous place a particularly strong emphasis on processes supporting professional work (Abbott 1988).
The audit literature has showed, in this regard, how auditors engage in ‘‘comfort production’’ (Pentland 1993) and rely on
comfort in deciding on the appropriateness of procedures for ascertaining the trustworthiness of company reports (Gue´nin-
Paracini, Malsch, and Marche´ Paille´ 2014).
Risk management, arguably, is characterized by a similar dynamic of uncertainty and comfort building. That risk can never be
brought to zero is a claim widely endorsed in the professional and academic literature on risk, with some authors even resorting to
the notion of the ‘‘risk of risk management’’ (Vinnari and Skærbæk 2014) to denote the ambiguities associated with the practice.
Given the uncertainty surrounding processes of identifying, monitoring, and controlling for significant risks, it is plausible that, in
their decision-making, actors such as corporate boards are guided by process criteria (as defined by risk management ‘‘best
practices’’) as well as whether or not they feel sufficiently comfortable with the appropriateness of the risk management systems
they oversee. Some recent studies point in this direction, such as Kewell and Linsley (2017, 20) who argue that comfort represents
‘‘important heuristics . . . [that are] allied to processes of risk decision-making.’’ In this paper, we are interested in understanding
the role these ‘‘comfort heuristics’’ play in shaping approaches to risk management in corporate boards. From this perspective,
comfort heuristics may be viewed as rules-of-thumb or shortcut strategies that organizational members gradually develop and
learn to use in decision-making under uncertainty (Bingham and Eisenhardt 2011; Furnari et al. 2020).2
Drawing on extant theoretical perspectives on (dis)comfort (Pezeu-Massabuau 2012) and the initial thoughts on the role of
comfort heuristics in risk management offered by Kewell and Linsley (2017), we conceptualize risk management as a set of
activities characterized by an ongoing tension between:
Actions that engender the feeling of discomfort as material risks to organizational objectives are identified, analyzed, and
reported; and
A quest for comfort and reassurance through the development of mitigating and monitoring measures to reduce and
maintain risk at an acceptable level.
The empirical materials for the study mainly comprise 25 interviews (Table 1) in Canada with corporate board directors
and corporate consultants. Consultants are often involved in corporate board and committee meetings (Sturdy 1997), and in
disseminating ‘‘state-of-the-art’’ risk management practices.
Our findings demonstrate how (dis)comfort is at the core of risk management in action. Alongside the functionalist
underpinnings, such as those that are resource- or agency-related, comfort-seeking represents a pervasive imperative that
profoundly shapes how risk management is practiced. First, we show how board members are inclined to rely on corporate
consultants, who take on the role of chief comfort-givers by supplying board members with risk management tools and ‘‘best
practices’’ designed to cultivate a sense of controllability and knowledgeability related to risk oversight. Second, comfort serves
as a sufficing reference, or ‘‘end-state’’ (Kewell and Linsley 2017, 20), in board deliberations and assessments of risk
management effectiveness. We also show that board member preoccupation with comfort (re)production leads them to see the
purpose of risk management tools mainly as a means to quickly (re)gain confidence in the seeming effectiveness of an
organization’s risk management. This, in turn, tends to result in the board members’ preference for more mechanistic
1 A meaningful analogy can be made with one of the first articles pointing to the various roles accounting may play in organizational life, namely
Burchell, Clubb, Hopwood, Hughes, and Nahapiet (1980).
2 The socio-organizational way in which we approach the notion of comfort heuristics is different from the notion of cognitive heuristics as
institutionalized in the areas of psychology (i.e., as simplified processes that result in systematic errors as compared to normative statistical models—
Waller 1995) and behavioral auditing studies (Solomon and Shields 1995). That being said, we recognize that the two notions share a number of
assumptions.
2 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
approaches to risk oversight (see also Power 2004). Last, we mobilize Pezeu-Massabuau’s (2012) definition of (dis)comfort to
provide a more nuanced understanding of why these mechanistic approaches occur. We posit that, when having to imagine risk
scenarios facing an organization (i.e., to ‘‘practice discomfort’’ [Pezeu-Massabuau 2012]), board members do so mainly as an
‘‘obligation’’ that needs to be fulfilled and justified, if necessary. The more holistic and critical analyses of the existential risks
facing the organization (‘‘discomfort by privation’’ [Pezeu-Massabuau 2012]) potentially lead to greater uncertainty (and thus
discomfort) and, as a result, are often disregarded or downplayed by the boards. Arguably, it is board reluctance to undertake
these ‘‘deep-dive’’ assessments, experienced as too worrying and uncomfortable, that is one of the greatest ‘‘risks of risk
management’’ (Power 2004; Vinnari and Skærbæk 2014).
The paper is organized as follows. In Sections II and III we provide a general discussion of the board role in risk oversight
and introduce our theoretical lens. Next, in Section IV, we specify our data collection and analysis procedures. Subsequently, in
Section V we draw on our interviews to examine how the feelings of comfort and discomfort play a role in the manner in which
risk management is practiced within corporate boards. Finally, Section VI discusses the study’s findings and reflects on some of
the main implications ensuing from our empirical analysis.
II. RISK OVERSIGHT AND THE ROLE OF CORPORATE BOARDS
With risk being often seen as a necessary precondition for the ability of capitalist economic systems to generate rewards, the
management of this risk has become a continued concern for corporate actors (Purcell 2016). While it is management’s duty to
develop and implement risk management systems, corporate boards have the role of overseeing management’s risk-taking and
reviewing the related processes and outcomes. The board’s risk oversight duties, therefore, focus on corporate activities such as
identifying, analyzing, managing, and monitoring enterprise risks (COSO 2004; OECD 2014). Recent surveys (PwC 2019) indicate
that as many as 94 percent of board members consider risk management expertise to be key to their ability to perform their duties. It
is often the audit committee or a stand-alone risk committee to which the board delegates the organization of risk oversight
(Beasley, Branson, and Hancock 2010). The aim of these committees is typically understood as ensuring that the constantly
evolving risk scenarios facing an organization, and their consequences, are continuously evaluated (Viscelli, Hermanson, and
Beasley 2017). However, the full board still retains overall responsibility for overseeing corporate risk management systems.
Risk oversight by corporate boards has been a topic of debate in both practitioner/regulatory and academic communities,
particularly in the aftermath of recent corporate failures raising questions about the boards’ capacity to appropriately evaluate
enterprise risks (OECD 2014; Power 2009). In response to these criticisms, regulators around the world have introduced
measures designed to better define and enhance the corporate board’s role in monitoring a company’s risk management. Some
international examples include the U.S. Securities and Exchange Commission’s decision to mandate descriptions of the boards’
risk oversight duties in listed companies’ annual proxy statements, and the European Commission Directives (2006/43/EC and
2014/56/EU) formally defining boards’ responsibilities for overseeing the effectiveness of risk management systems. In
Canada, in the aftermath of the global financial crisis, the Canadian Securities Administrators made similar calls for substantial
improvement in risk management and oversight. Current Canadian regulation for public companies is relatively general in
scope—for instance, specifying that boards of directors have oversight responsibilities regarding their company’s risk
management (National Instrument 58-201). That being said, a range of private sector-led initiatives developed in the aftermath
of the financial crisis to alleviate further regulatory scrutiny (Leech 2012). In 2012, after several years of preparation, the
Canadian Institute of Chartered Accountants issued the Framework for Board Oversight of Enterprise Risk ‘‘to provide a
practical approach to risk oversight designed specifically for boards of directors, including a framework, methodology and
toolsets’’ (Caldwell 2012, 1). The Framework detailed nine steps to assist boards, ranging from steps to identify, categorize, and
prioritize risks—to the analysis of their consequences, risk tolerance, and appropriate response strategies.
Despite the above initiatives, extant research evidence of the outcomes of risk oversight in terms of its influence on
corporate risk-taking and reporting has been mixed. While some studies have underscored strong board oversight playing a
substantive role in the development and quality of organizational risk management processes (Baxter, Bedard, Hoitash, and
Yezegel 2013; Ittner and Keusch 2015), others exposed significant deficiencies in board effectiveness as a consequence of time
constraints and the lack of expertise (Ingley and van der Walt 2008). Furthermore, prior research suggests that the outcomes of
risk oversight by boards are greatly influenced by the organization’s risk management objectives and culture as well as risk
leadership structure. In their field study of risk management practices, Cohen, Krishnamoorthy, and Wright (2017), for
example, point to two views of risk management most prevalent among governance actors. One equates it to a contractual
mechanism to align the interests of company investors with those of the management, such as by reducing managers’ excessive
risk-taking (agency theory perspective), and the other presents effective risk management as an essential part of the business
strategy to cope with environmental uncertainty (resource dependence perspective). The authors report prioritization of the
former and insufficient focus on the latter perspective by actors involved in risk oversight (audit committees), which they argue
may have a detrimental effect on the committees’ ability to perform its duties. Likewise, in an interview-based study of risk
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 3
Behavioral Research in Accounting
Volume 33, Number 1, 2021
management implementation strategies across a range of organizations, Viscelli et al. (2017) report a limited contribution of
risk management to corporate strategic planning as a result of an organization culture that places insufficient emphasis on the
connectedness between risk and the firms’ strategic leadership.
Studies, including those mentioned above, have promoted a largely functionalist firm-centered view of risk management
emphasizing performance and/or governance-related motivations and rationales. There is little research seeking to enhance our
understanding of in situ experiences with regard to the dynamics of risk management and oversight at the board level. Among
the few exceptions is Bodnar, Giambona, Graham, and Harvey’s (2019) survey-based investigation of corporate risk managers,
which found that these individuals’ experience, personal attitudes toward risk, and education influence their degree of
engagement in risk management. Importantly, the authors called for a greater emphasis to be placed on the so-called ‘‘human
factor’’ and how ‘‘it plays a crucial role in corporate risk management decisions’’ (Bodnar et al. 2019, 2). In this paper, we
respond to the above call by examining the role that the intertwined notions of comfort and discomfort play as meaningful
referents in how board members experience risk oversight (Kewell and Linsley 2017).
III. THEORETICAL PERSPECTIVE ON (DIS)COMFORT AND RISK MANAGEMENT
At the heart of many professional practices lies their commitment to the so called ‘‘psychological contract,’’ the ability to
provide various forms of comfort, reassurance, or the feeling of security to those facing uncertainty, be it placating words from
a nurse, conciliatory advice from a lawyer, or comforting reassurance about a company’s financial performance as mediated
through an audit report (Fareed 1994; Carrington and Catasu´s 2007; Sarens et al. 2009). Similarly, Kewell and Linsley (2017)
argue that reassurance (otherwise known as comfort) seeking represents an important motivation for the substantial rise in risk
management, although it remains insufficiently discussed in the literature. They maintain that comfort heuristics are
‘‘responsible for the temporary relief and catharsis that risk analysis and assessments of probability/possibility provide,’’
thereby representing ‘‘an extremely important esoteric resource that puts the mind at ease [. . . and has clear] social, cognitive
and emotional attributions’’ (Kewell and Linsley 2017, 20).
In his comprehensive philosophical theory of comfort/discomfort (see Figure 1, which presents key concepts relevant to
this study), Pezeu-Massabuau (2012, 20) conceptualizes comfort as a state, i.e., ‘‘a range of comforts and convictions integrated
into a position of immobility that we take for stability,’’ as well as an action, i.e., a continuous drive ‘‘to attain this private form
of happiness whose truth consists only in the ongoing certainty that we are moving towards perfection.’’
Hence, comfort is both an experience we can immerse ourselves in and an endeavor driven by our agency. In case of risk
management, the awareness that material risks facing an organization have been accounted for, their potential effects have been
analyzed, and appropriate controls have been introduced, is intended to yield a feeling of comfort and security to organizational
actors. In addressing this, Kewell and Linsley (2017, 22) point to the ‘‘purgative and remedying effects’’ of risk management,
including ‘‘the sensory state of feeling re-assured’’ (emphasis added). Beck (1992) goes even further by qualifying today’s
world as a ‘‘risk society,’’ a society obsessed with maintaining a state of comfort through an emphasis on the manageability of
the myriad of insecurities that humans and organizations increasingly perceive in their environments.
The instillation of a belief that risk can be managed is undertaken through a pursuit of comfort-inducing actions performed
‘‘by enlightened individuals, who believe themselves capable of vanquishing fear and anxiety in another person’’ (Kewell and
Linsley 2017, 20). Here, as an act of comfort giving, risk management involves comfort givers (such as consultants who claim
mastery of sophisticated technologies of risk management) and comfort seekers (such as corporate board members relying on
consultants’ advice for decision-making), even if the blurriness surrounding these two categories has to be recognized.
Accordingly, both corporate boards and consultants may equally engage in processes of risk management in their capacity as
users, educators, promoters, overseers, and implementers.
While deferring to the givers’ expertise, the comfort seekers must trust and readily accept the assurance provided by the
givers as appropriate and legitimate in order to embrace it. To enhance their legitimacy and gain this trust, comfort givers invest
in the development of rules, procedures, and technological tools that Power (2007, 852) theorized as a ‘‘defense against
anxiety,’’ enabling organizational actors to feel in control of their destinies and also in agreement with established legitimized
principles. In effect, this plethora of risk management tools offers, at least partially, ready-made and reassuring solutions for
identifying risks, estimating their impact, and providing decision-makers with data to inform judgments (Kewell and Linsley
2017). The culture of risk manageability that these technologies promote is also used to present risks not merely as threats but
as potential opportunities for improving organizational performance (Arena et al. 2010; Mikes 2011).
That being said, where there is comfort, there is also the possibility of feeling discomfort as both ‘‘operate in conjunction
and we cannot separate them’’ (Pezeu-Massabuau 2012, 73). Accordingly, the practice of risk management entails plentiful
possibilities for experiencing discomfort. While identifying something as a risk may produce comforting sensations that
dangers posed to an organization’s survival are graspable and predictable, it may also very well lead to discomforting doubts
and concerns over the appropriate means by which the risk should be evaluated, managed, and monitored, as well as over the
4 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
overall adequacy of the organization’s existing risk management architecture. In many ways, cultivating discomfort may even
be highly appropriate and significant for risk management to be effective. In a similar vein, discomfort is not simply
experienced. It can be practiced or even intentionally invoked. In this regard, Pezeu-Massabuau (2012) provides a typology of
discomfort in which two elements are of particular relevance to this study. One type is discomfort as resulting from external
obligations (Pezeu-Massabuau 2012, 34)—the norms, customs, and prescribed courses of action that one may be subject to.
One may, for instance, pursue actions that invoke discomfort (e.g., waking up in the middle of the night to prepare for an early
morning shift) on the basis that such actions are required by established practice rules (e.g., work shift schedules). Another type
FIGURE 1
Theoretical Perspective on (Dis)Comfort
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 5
Behavioral Research in Accounting
Volume 33, Number 1, 2021
is discomfort resulting from self-imposed privation (Pezeu-Massabuau 2012, 30), when one voluntarily deprives oneself of the
comforts that they have learned to value, most often in exchange for some emotional recompense such as the feeling of doing
the ‘‘right thing.’’ One can, for example, voluntarily inflict the discomfort of restricting travel to support the honorable goal of
reducing one’s carbon footprint. Importantly, when discomfort is practiced not as a consequence of an external obligation
(norms/rules) but as a consequence of self-imposed privation, it often carries with it significant transformative potential (Pezeu-
Massabuau 2012, 44); in other words, the capacity to challenge the continued relevance of established norms and cognitive
schemes (such as the notion that regular travel is an unavoidable part of modern life).
The premise that we develop in this paper is that the practice of risk management and the related architecture of technological
tools may be conceptualized as an array of actions that may arouse feelings of both comfort and discomfort as material risks to
organizational objectives are identified, and actions to reduce and maintain these risks at an acceptable level are developed. As we
will see, viewing risk management through the prism of (dis)comfort enables an alternative account of the role it plays in
organizational decision-making. The prism especially helps us appreciate the ways in which reliance on particular risk
management practices and tools may contribute to the production of comfort/discomfort feelings about an organization’s ability to
achieve its goals. The (dis)comfort angle also enables a better understanding of what motivates approaches to the identification
and mitigation of risks. For example, the identification of risks as an act of practiced discomfort may be seen mainly as a
consequence of the obligation to adhere to an externally imposed set of rules or risk management ‘‘best practices.’’ Alternatively,
risk identification can be experienced as an act of deprivation whereby one’s feeling of certainty about the achievement of
organizational objectives becomes profoundly and consciously challenged by the genuinely unknown, or what Power (2007)
termed ‘‘the critical imagination of alternative futures,’’ thereby triggering a holistic comprehensive examination of fundamental
systemic risks. The prior literature indicates that problems and deficiencies surrounding contemporary risk management often stem
from over-reliance on comfort-inducing measures (such as rules-based, technical approaches to risk management that privilege
easy use and traceability)—at the expense of more critical and potentially discomfort-aggravating efforts to address more systemic
risks that originate from organizational externalities and interconnectedness (Power 2004, 2007).
With reference to the theoretical perspective on (dis)comfort outlined above, this study aims to answer the following
research question:
RQ: To what extent do feelings of (dis)comfort play a role in how risk management is experienced and performed at the
level of corporate boards, and, accordingly, how do boards fulfill their duties with regard to risk oversight?
IV. METHODS
This study is in line with calls made in the accounting literature (over many years) regarding the significant need for
qualitative research to improve our understandings of how the world surrounding accounting works (Kenno, McCracken, and
Salterio 2017; Malsch and Salterio 2016). As maintained by Chua (2019), venturing into the field through qualitative inquiry
brings a series of important benefits in terms of knowledge development.
Our study belongs to the interpretive paradigm of accounting research (Power and Gendron 2015). Following the need for
flexibility in this type of research (Patton 1990), we initiated our inquiry with a broad purpose in mind—to study how risk
management is perceived and practiced in corporate board settings.3 Our specific focus emerged later in the data analysis phase,
when we identified (dis)comfort-seeking as a meaningful template to make sense of the ways risk management is practiced at
the board level.4
As part of our investigation, we carried out 25 semi-structured interviews with board members and consultants, which we
conducted in Canada between September 2011 and May 2012.5 The first author already knew six interviewees; the other
3 The Research Ethics Board at Universite´ Laval approved this research project.
4 Since richness is one of the key strengths of interview data (Patton 1990), it is not unusual to find different qualitative research papers being predicated
on the same database, with each paper examining the data in accordance with a particular perspective (Heaton 2004). Accordingly, another manuscript
(i.e., Gendron et al. 2016) is derived from this research project. Although Gendron et al.’s (2016) manuscript shares data with the present one, each of
them approaches risk management from a distinct angle. That is, Gendron et al.’s (2016) study relies on a cultural theory of purification to examine the
processes by which actors involved in corporate boards manage to keep their faith in the idea that risk can be managed despite recurring aberrations,
which in principle, could be interpreted as tangible demonstrations of risk management failures. The present manuscript is much more focused on
examining how risk management is practiced in corporate boards. A key aspect of this practice, which emerged from our analysis, is (dis)comfort-
seeking.
5 We also conducted nine additional interviews with eight individuals other than corporate board members and consultants. These interviewees included
four Chief Risk Officers, two think-tank executives, one recently retired Big 4 audit partner, and one individual in charge of the risk oversight domain
within a professional institute (interviewed twice). Although these interviews do not feature in the empirical analysis section, they contributed to our
understanding of the risk management field more generally. It is worth noting that those eight interviewees correspond to the missing numbers in Table 1
(column ‘‘Interviewee’’).
6 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
interviewees were identified either through a snowballing approach or through internet searches focused on high-profile
organizations and consulting firms. All interviews were conducted by the same author and were face-to-face, except for three
carried out by telephone for convenience. As shown in Table 1, the interviewees included 14 individuals who were board
members (at the time of their interview) in at least one public company and 11 consultants (most of them specializing in risk
management). Most of the board members interviewed had experience on audit committees, which were often explicitly in
charge of overseeing the company’s risk management processes. A few of them sat, when it existed, on the board’s risk
management committee (commonly present in financial institutions). In line with the role historically played by financial
institutions in the risk management domain, two-thirds of interviewees had worked in financial institutions and/or had board
experience in such organizations. The extent of linkages with financial institutions in our dataset is an ex post observation. In a
way, this observation implies that interviewee experiences relate to sophisticated risk management systems, at least partially.
Our interviewing strategy was to foster the development of a meaningful and engaging conversation with the interviewee,
aimed at stimulating their reflexivity. As a result, our role was to ‘‘help interviewees think about their work and themselves in
different ways’’ (Empson 2018, 62). The most important themes discussed in interviews included: background information on
career and board involvement; viewpoint on the notion of risk; processes by which significant risks are detected, evaluated, and
TABLE 1
Interviewee Characteristics
Date of
Interview Intervieweea
Member of
a Public
Company
Board at the
Time of the
Interview?
Career
Involved
Financial
Institution,
as Employee
or Board
Member? Main Current Occupation
September 2011 BM 1 Yesb Yes University academic
September 2011 CONS 2 No No Risk management consultant (at principal level) in large accounting firm
September 2011 BM 4 Yesb Yes Corporate director; former audit partner in large accounting firm
September 2011 CONS 5 No Yes Consulting firm partner, specialized in risk management
September 2011 BM 6 Yesb No Corporate director; former audit partner in large accounting firm
October 2011 BM 7 Yesb No Corporate director; recently retired as audit partner of large accounting firm
October 2011 CONS 8 No No Consulting partner, specialized in risk management, in large accounting firm
October 2011 BM 9 Yesb Yes Corporate director; recently retired as CEO of financial institution
October 2011 CONS 10 No No Consulting partner, specialized in risk management, in large accounting firm
November 2011 CONS 11 No Yes Consulting firm partner, specialized in risk management
November 2011 CONS 12 No No Consulting partner, specialized in risk management, in large accounting firm
November 2011 BM 13 Yesb Yes Corporate director
November 2011 BM 14 Yesb Yes Corporate director
November 2011 CONS 18 No Yes Consulting associate partner, specialized in risk management, in large
accounting firm
November 2011 BM 19 Yes Yes Senior advisor in business law firm; corporate director
December 2011 CONS 20 Yes Yes Consulting firm top executive
December 2011 BM 23 Yesb Yes Corporate director
December 2011 BM 24 Yesb Yes Corporate director
January 2012 CONS 26 No No Consulting firm principal, in charge of Canadian financial institutions
March 2012 CONS 27 No No Consultant, specialized in sustainability
March 2012 BM 28 Yesb Yes Corporate director
March 2012 BM 29 Yesb Yes Corporate director
March 2012 BM 30 Yesb Yes Corporate director; recently retired as public servant executive
March 2012 CONS 32 No No Consulting principal, specialized in risk management, in large accounting
firm
May 2012 BM 33 Yesb Yes Corporate director
a Interviewees who were board members of at least one public company, at the time of their interview, are designated ‘‘BM #.’’ Consultants are designated
‘‘CONS #.’’
b Currently involved on at least one audit committee or risk management committee.
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 7
Behavioral Research in Accounting
Volume 33, Number 1, 2021
represented; type of information on risk management conveyed to the board; main sources of confidence used by board
members when making sense of organizational risk; and main matters of disagreement when risks were discussed at the board
or committee level. Since most participants had significant board or consulting experience, the interviews also covered changes
in attitudes and practices over time. The interviews lasted between 55 and 105 minutes.
Recognizing that the issue of trust surrounding sources of information in qualitative research is complex (Schaefer and
Alvesson 2020), we took several measures during the interviews in seeking to establish the trustworthiness of the data (Lincoln
and Guba 1985; Malsch and Salterio 2016). We asked participants for permission to record their interviews and emphasized
that their identity and that of their organizations would be protected. Also, we informed them that they would have the
opportunity to check the reliability of their interview transcript and, if necessary, make any alterations.6 It seems to us that the
participants were candid during their interviews—their explanations being elaborate, plausible, and quite often illustrated
through anecdotes.7
An initial review of the interview transcripts highlighted the strong presence of emotive undertones in participants’
accounts that we interpreted as expressions of (dis)comfort felt in relation to various aspects of risk management practice. This
prompted us to examine the literature on the notion of (dis)comfort; in the process we identified Pezeu-Massabuau’s (2012)
theorizing as a promising perspective for analysis. We then carried out a more detailed analysis of the interview data through
qualitative procedures performed on NVivo and, by reference to Pezeu-Massabuau’s (2012) work, developed a coding scheme
to identify subthemes that characterized how comfort heuristics play a role in the ways in which risk management is
experienced at the board level.
More specifically, we sought to capture the feelings of (dis)comfort as expressed by the participants as well as whether/
how they acknowledge and act upon those feelings. When analyzing the interviews, we were mindful that expressions of
(dis)comfort are manifold and hence require careful interpretation. Feelings of ‘‘comfort’’ or ‘‘discomfort’’ were not inferred
only when the interviewees referred to them directly; rather, they were often inferred in the course of more implicit discussions
(e.g., about worry, sleepless nights, feelings of certainty or lack of it, among others) that provided clues that such feelings were
present. We related those discussions to our chosen theoretical frame to understand how they could be interpreted in terms of
expressions of (dis)comfort and the particular ways in which such expressions may influence how participants perceive their
roles, the objectives of risk management, and the usefulness and effectiveness of the risk management tools they use.
Overall, interview accounts provided by board members and consultants provide a nuanced understanding of how
(dis)comfort is (re)produced in the course of risk oversight, albeit in different ways. More specifically, our analysis emphasizes
how consultants play a key role as producers and suppliers of comfort to corporate boards by providing practice approaches
and tools presented as capable of instilling confidence in risk management processes. It also shows how the board members
were the keen recipients of these approaches and tools.8
V. (DIS)COMFORT AND RISK MANAGEMENT PRACTICE
This section presents a detailed analysis of how risk oversight is experienced at the level of corporate boards and explores,
in particular, the roles played by the two key actor groups mentioned above—board members and risk management consultants.
Figure 2 provides a summary of key findings. It shows that, although practicing discomfort (ensuing from evaluating risk
scenarios) may be seen as forming part of the boards’ risk oversight responsibilities, comfort seeking represents a powerful
referent influencing how boards dispense such responsibilities. As such, Figure 2 presents a summary of particular themes
stemming from our analysis, which point to the ways in which comfort heuristics are implicit in risk management practice. In
this section, we categorize risk management practice along four key questions. What kind of advice do consultants provide as
comfort givers? How is (dis)comfort produced within boards through the use of tools such as risk maps? How do boards
develop a comforting consensus regarding complex endeavors such as risk categorization and the development of risk control
measures? How do board members become comfortable with the risks (limitations) of risk management? The following
subsections explore these questions in more depth—while underlining the role of comfort heuristics in experiencing risk
management.
6 Three interviewees provided revised transcripts. Only minor alterations were made in the revised transcripts, most of them being of a clarifying nature.
7 We conducted about two-thirds of the interviews in French and transcribed them, based on the interview language. The first author ultimately translated
the excerpts into English from the French transcripts that are incorporated in this manuscript. We recognize that meaning subtleties in the original
language may have been lost or altered through our translation (Kamla and Komori 2018).
8 By and large, the comfort perspective that we use here to make sense of our findings reflects some of the most important patterns we identified in our
dataset. That being said, this article does not rely on all significant patterns we found; instead, our analytic emphasis was to ensure that the themes and
interview quotations we mobilized are coherent with the paper’s theorized storyline (Golden-Biddle and Locke 2007).
8 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
Comfort-Giving by Making Risk Manageable
Since circa the mid-1990s, risk management became a key component of the corporate board vocabulary used to make sense
of the flow of events surrounding corporate life (Power 2004). Today, board members rely on a plethora of tools in dispensing
their duties with regard to risk management—tools that have been developed, to a great extent, by actors such as consultants and
other risk management specialists eager to promote an understanding among corporate boards and executives (comfort seekers)
FIGURE 2
Risk Management and (Dis)Comfort
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 9
Behavioral Research in Accounting
Volume 33, Number 1, 2021
about the nature and consequences of their organization’s exposure to primary and reputational risks (Gephart, Van Maanen, and
Oberlechner 2009; Arena et al. 2010). As our interviews confirm, these expert claims emphasize the presumed ability of risk
management to convert risks into something that can be handled and even controlled, hence giving rise to feelings of certainty and
comfort. The role of consultants as ‘‘comfort givers’’ can be inferred from the way they justify the need for risk management as a
repository of tools enabling corporate boards to (perhaps paradoxically) reach comfort through what Pezeu-Massabuau (2012)
referred to as ‘‘practiced discomfort,’’ the self-inflicted problem of identifying and accounting for risks. During the interviews,
many consultants acknowledged that identified risks were something one can ‘‘be afraid of,’’ but interpreted them as acceptable
and even desirable on the basis that they could ultimately lead to greater recompense, namely the corporate boards’ enhanced
capacity to manage future uncertainty and ensure survival (Pezeu-Massabuau 2012). The comments below, presenting risk
management as a platform for meaningful intervention, illustrate this point:
We highlight for our clients . . . that . . . we should not be afraid of being exposed to risk. Companies need to be aware
of their surrounding risks and potential consequences. Companies are then able to react in a more appropriate way
when risk materializes. Managers are better prepared when they’re aware of the worst that can happen. (CONS 2)
It is the thing that is always on my mind—when we have finished our work and think we have got it right, I think
‘‘what is the degree of comfort we are giving?’’ Does the fact that we put in place a better structure to identify, control,
and quantify risk, to improve all these controls . . . provide comfort at the level they [the company] expect? (CONS 8)
In the first excerpt, the interviewee conceives of risk management planning as a lifeline to secure the organization’s
longevity in a tumultuous, uncertain environment. By emphasizing that risk management makes companies more ‘‘aware of’’
and ‘‘prepared’’ for risks that may materialize, they effectively re-imagine uncertainty as something within the purview of
organizational controllability, implicitly highlighting what is made explicit in the second quotation, i.e., the importance of risk
management as something that can ultimately yield comfort and reassurance. Here, comfort ensues from two reassuring
assumptions—that controllable pitfalls are prevented from taking place (e.g., fraud, hacker intrusion, currency conversion loss,
etc.), and that basic operations may be maintained when pitfalls (controllable or not) do materialize.
Furthermore, during the interviews, we also witnessed the sensory expression of comfort heuristics from the affirmative,
resolute, and overall positive tone with which many risk management consultants discussed particular situations from practice.
In such discussions, risks emerge as threats that can and should be tackled as well as strategic opportunities to be reaped. The
following excerpt relates to a line of thinking that a consultant reportedly uses when dealing with a typical mandate.
We help the organization to carry out a risk inventory along a bi-dimensional matrix which takes into account the
magnitude of consequences and the likelihood of materialization. We deal with reputational risk, operational risk,
financial risk, and the risk of not meeting the organization’s business objectives. Importantly, we conceive of risk not
only from a threat perspective, but also from a strategic perspective. For instance, let us say that company X aims to
have 20 percent growth per year. How does it manage the risk of not meeting this target? If the company aims to reach
this target through the acquisition of other companies, what processes does it have to manage acquisitions and the risks
they convey? (CONS 12)
The excerpt exemplifies how consultants reproduce the reassuring image of authority and knowledgeability, through a
compelling cartography of organizational risks that can be used as a platform for risk diagnosis, problematization, and
treatment.
As argued earlier, the psychological contract that generates the demand for many professional services, including risk
management, rests on the professional’s ability to offer conciliatory advice and technical solutions that relieve their clients of
feelings of anxiety and discomfort, such as those associated with perceived risk and uncertainty (Kewell and Linsley 2017).
Accordingly, we found risk management consultants to play a key role in the development and promotion of tools and templates,
such as two-by-two ranking matrices or heat maps, for instilling feelings of comfort through the reassurance that the organization is
‘‘covered’’ in case of risk materialization (see also, Pollock and D’Adderio 2012). These tools are presented as capable of re-
imagining risk as something concrete, almost tangible, hence strengthening a sense of comfort and confidence in the board’s ability
to carry out risk management duties in a tangible way. For example, in their discussion of the processes of risk identification,
several interviewees referred to them as an ‘‘inventory of risks’’ (e.g., BM 23), hence implicitly signaling the ‘‘tangible’’ nature of
the notion of risk in their eyes. Like items in a warehouse that can be physically checked and counted, an astute manager or
consultant can scrutinize an organization’s environment to identify the different risks to which it is exposed. One consultant from a
Big 4 audit firm showed us the firm’s basic organizational risk map—a poster about one meter square written in a tiny font
identifying a few hundred generic risks, grouped along key families, such as corporate governance and strategy.
This map is quite exhaustive. A company is a company, the number of risks to which it is exposed is necessarily
limited . . . The map is a tool that provides rigor. It’s useful to check for the completeness of the risk inventory. It’s
10 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
also useful in providing a common vocabulary to ensure that all participants within the company use the same words.
Because people in finance and people in marketing do not have the same basic language; thus, when it’s time to
discuss where, strategically speaking, the company is going, these people need to understand the same thing. It’s our
role, as consultants, to explain in clear terms the meaning of every risk and to make sure that everyone understands.
(CONS 2)
Furthermore, during the interviews, participants often referred to the importance of knowledge sharing and dissemination
of risk management best practices across organizations. Conceivably, awareness of the alternatives acquired through such
sharing practices has a potential to lead to the feelings of uncertainty, inadequacy, and potential discomfort as board members
may come to realize that their organization’s existing risk management architecture may lag behind the industry’s ‘‘best
practice.’’ However, our analysis indicates that, by and large, knowledge sharing seems to be more of a key means through
which confidence and comfort are promoted among board members. The excerpts below demonstrate the common perception
that effective risk management is within reach if one searches hard enough to find the right type of expertise and knowledge.
They also point to the widespread belief that corporate consultants are legitimate sources of such expertise.
We have successfully completed more than 500 mandates, from the Canadian Border Agency to federal departments
focused on science and research. We have done it all—it’s our strength. (CONS 5)
If the audit committee or the board are not sufficiently comfortable [in their knowledge of risk management practices
and procedures], then the question one should ask is, ‘‘Have you tried to help yourselves, I mean to get help from
experts in the field?’’ (BM 7)
Hence, owing to their supposed exposure to a diversity of organizational contexts and risk management practices,
consulting firms are seen as fulfilling the role of comfort producers capable of placating board members with an image of
accumulated ‘‘state-of-the-art’’ expertise that boards can rely on. Further, risk management tools and techniques promoted by
consultants may be seen as offering the comfort-giving promise of manageability, deploying a functional architecture centered
on interpreting risks, evaluating their likely impact, and providing data to inform decisions about appropriate safeguards
(Kewell and Linsley 2017). In the following subsections, we examine in greater depth the particular ways board members make
use of such tools and techniques to perform their risk oversight duties.
Risk Maps and the (Dis)Comfort Ensuing from Making Risks Identifiable
As pointed out earlier, risk management can, at least in principle, lead to practiced discomfort (Pezeu-Massabuau 2012)
associated with the feelings of uncertainty and concern one may experience when having to imagine the (often elusive) risks
that potentially threaten an organization. From a corporate governance perspective, board members are formally required to
oversee the processes by which corporate managers identify risks. In other words, practicing discomfort by obligation, as
defined by Pezeu-Massabuau (2012, 73), forms part of the board’s responsibilities. The following excerpt articulates a link
between, on the one hand, the practice of risk management as a discomfort by obligation and, on the other hand, confidence in
the board’s ability to handle risk:
The risk management mechanism that we have in public companies, it is not a whim, an event, or a comfort procedure
for directors, it is required by the regulators. They force us to table our risk management plan, to document it, then we
have to send it, then we have to update it, every year they ask us if there are any changes. We are almost required to
have a risk management department with a few staff devoted to the elaboration and maintenance of the risk
management plan. Yet this kind of structure benefits us, in that we are better able to react properly and [in a] timely
[manner] when risk materializes. (BM 6)
While dispensing their risk management duties, board members engage in a web of activities that enable judgments to be made
about the means by which corporate directors identify risks. In general, our interviews point to risk identification as a critical
step to ensure risk management effectiveness. As one participant mentioned, the whole edifice of risk management depends on
the completeness of risk identification, given that ‘‘an unidentified risk is a risk that cannot be managed’’ (BM 1). Further
commentary is provided below:
Interviewee: The procedure is not rocket science. We just inventory the different risks that may affect our company.
Interviewer: But some risks may not be that easy to recognize.
Interviewee: No. It’s not a problem at all when the people in charge of it know the company very well. (BM 23)
In this short dialog, an equation emerges between the practice of risk inventory and the production of comfort. When
reviewing processes for risk identification, boards, among other things, rely on the information input provided by management.
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 11
Behavioral Research in Accounting
Volume 33, Number 1, 2021
The nature of such communication has a significant impact on the emergence (or not) of feelings of comfort among board
members in relation to the effectiveness of the organization’s risk management:
It’s not up to the Chief Risk Officer to identify risks; risk identification should belong to business unit managers . . .
We need to make sure that risk identification starts from the bottom and that risks are gradually aggregated as we
move towards the executive level. The executive level, thereafter, needs to carry out its own analysis, in a top-down
way. (BM 13)
The organization above seems to rely on a grassroots approach to articulating its risk identification protocols. The same
interviewee added that board members need to be especially attentive to any discrepancies between their assessments and risk
management analyses by the executives, denoting the perceived convergence as a source of comfort and divergence as a trigger
of discomfort.
If I ask my question about returns versus risk, and I realize that the risk taken on is different from what we had
discussed initially. So, you say ‘‘oops’’! Then you have to assess that because it does not correspond to what is defined
as the risk appetite. The management and the board must have [a] convergence of views on their risk appetites.
Because if you realize there is no convergence, then there is discomfort and worry. (BM 13)
As mentioned earlier, board members rely on a plethora of tools in dispensing their duties with regard to risk management.
Our analysis indicates that one of the chief tools that boards use to identify and make sense of risks is ‘‘heat maps’’ (Caldwell
2012), i.e., graphical devices that classify risks in terms of their degree of severity along two dimensions—probability of
occurrence and magnitude of consequences (Mitterhofer and Jordan 2016). The basic objective of these maps is to make visible
a hierarchy of risks; stakeholders are then supposedly able to pay attention to the most significant or unmanaged risks to which
the organization is exposed (Caldwell 2012, 45). As explained by an interviewee below, traffic light colors are often used in
heat maps to provide a sense of risk significance (e.g., green, yellow, red):
Probabilities play a role to some extent in risk management. Yet probabilities can be quite difficult to address. Let’s
refer to the probability that [name of U.S. company] decides to open stores in the province. Today, people may assess
the probability as being somewhere between 20 to 70 percent. Yet if [name of U.S. company] suddenly opens ten
stores in the province, we need to shift gears since the situation definitively evolved from a yellow risk to a red one.
(BM 7)
As such, heat maps are an example of a technology that may serve to enable control at a distance, providing means for
board members to oversee remote units (Jordan et al. 2013). As explained in the excerpt below, board members see the maps as
tools that enable them to put their trust in procedures for risk identification as risks are categorized in a seemingly clear,
unambiguous, and visually appealing manner:
So, let’s assume I’m director in a bank. If there’s a money laundering problem and there’s a problem with controls,
riskiness goes red. As a director, I should indeed concentrate on changes and the underlying arrows. Is the arrow up
(i.e., decrease in riskiness) or is the arrow down (i.e., increase in riskiness)? That’s what I really need to know. If the
arrow’s up, that’s really good news. However, I don’t want the arrow to go up just because company managers have a
plan in place. I want it to go green when the plan has been executed. (BM 28)
Thus, the above discussion shows how comfort is implicit in board member assessments of the appropriateness of
organizational approaches to risk identification. Importantly, to deem their organization’s risk management practices effective,
board members need to feel reassured and comfortable with the underlying processes. Tools such as heat maps are used as key
means to build comfort around risk identification through the development of shared understandings about risk. Indeed, it may
be quite reassuring for the board members to associate risk management quality with processual rigor such as an extensive use
of risk maps or meticulous risk management manuals. The comfort ensuing from the use of heat maps stems from perceptions
that such tools help make ambiguity (such as the probability of risk actually materializing) graspable, and ultimately
manageable. Not only do the interviewees above apprehend reality through the coloring scheme, but they also seem to grasp
such a scheme as reflecting a soothing reality where risks facing organizations have almost tangible properties. Ultimately, our
interviews indicate that heat maps play a significant role in strengthening board member comfort and confidence in carrying out
their risk management oversight duties.
Building Comforting Consensus over Risk Assessment and Control
After risks have been identified, the next step is risk screening or categorization. Here, our interview evidence corroborates
the view that corporate consultants have significant influence over business executives and board members (Christensen and
12 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
Skærbæk 2010). It also points to general unwillingness within boards to deal with uncategorized lists of numerous risks. Most
members showed strong preference for overseeing only the most important risks, usually between five and 15. The strong
prevalence of this practice (which is almost institutionalized) means that limits are placed on the kind of insights generated
through heat map analyses (Pollock and D’Adderio 2012).
Interviewees mentioned various methods to categorize risks. A number of companies focus their screening processes
primarily on inherent risks (i.e., those the company had no control to protect against) while others employ the residual risk
notion (i.e., risk leftover once the impact of corporate control is recognized). Further, we found cases where risks were
evaluated from a more qualitative perspective focused on the assessment of their nature and potential ramifications. However,
in the majority of cases, risk screening had a more quantitative focus, as exemplified in the excerpt below where a consultant
details their client’s approach:
It’s important to understand that we give a higher weight to the impact. Hence, [when explaining to the interviewer the
way in which the consulting firm categorizes each client’s risks] we must square this number and then we calculate its
cube root in order to translate the outcome on a scale of five . . . People take much comfort from quantitative data.
(CONS 5)
Deciding which risks should be prioritized and to which ones most attention and resources should be directed is an
inherently judgmental process that is fraught with uncertainty. Our interviews suggest that a common approach to somewhat
alleviating the feelings of discomfort relating to this uncertainty is through participatory processes that promote collective
responsibility. In particular, with advice and guidance from consultants or in-house persons in charge, some companies we
interviewed have adopted risk screening procedures where groups of managers and executives vote, using anonymous
electronic devices, on the probability and magnitude of risks. One consultant commented on the nature of the practice they
promote among their client companies and how boards generally respond to it:
The basic idea is to identify the top 10 or 15 risks, but identification needs to be consensual. In our firm, we use a tool
whereby managers and executives vote anonymously, with instantaneous display of the results. Intense discussions
among participants tend to ensue . . . All participants sit in a room—we interviewed every one of them on a one-to-one
basis before this meeting—and we provided each one with a technological device to answer a series of questions we
developed in advance that aim to measure the impact and probability of each risk. We need to be careful when
developing the questions, to ensure that they properly translate every risk; this is one of the most sensitive parts of our
work. But the most interesting part is after the vote; this is where the action is. Participants then try to adjust their
meanings . . . Outliers may decide to explain their point; others then say: ‘‘Well, have you considered this and that?’’ . . .
So, my role is basically to support discussions among participants, in order to facilitate consensus building. (CONS 2)
The excerpt above illustrates the kind of tools—proposed by risk management consultants and implemented by the
company’s management—to which board members are exposed through reports, statements, and speech at the board level. The
risk architecture conveyed to board members is presented as commonsensical and consensual, being the outcome of intense
processes in which disagreements were arbitrated in an organized arena, predicated upon principles such as voice-giving and
majority vote. In the process, an initially quite messy and discomforting situation is transformed into comfort-inspiring reports
emphasizing diagnosis (defining and measuring risks) and treatment (specifying measures to control for risk). Our interviews
also indicate that the quest for consensus building is also carried out directly at the board level—as a practice that initially
engenders discomfort (through the voicing of different opinions) but that reportedly translates, ultimately, into joint consensual
comfort. Many board members interviewed pointed out that they did manage to achieve consensus as a result of argument and
discussion taking place in board meetings:
Sometimes people may come up with a different view but with a thought-provoking argument. And this is what I call
an enriching discussion, and the goal for the board is to ensure that, in the end, we have explored all avenues and that
together we can find enough comfort to say, ‘‘Okay, the management have really assessed the risks.’’ (BM 7)
Another step that sometimes overlaps with risk categorization relates to establishing controls and measures to protect
against risk. Compared to risk identification and assessment, interviewees were less voluble in explaining how particular
control measures alleviate risks facing their organization. That being said, our analysis indicates that consensual comfort among
board members is relatively easy to establish when the outcomes of the organization’s risk management processes are presented
to the board, quite often through a heat map. One reason provided was that board members recognize that they do not have the
detailed knowledge of the business that corporate managers do:
Most disagreements relate more to nuances than basic issues . . . This is because corporate managers are very
knowledgeable about the operational risks, much more so than most directors. I’m not really competent in areas where
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 13
Behavioral Research in Accounting
Volume 33, Number 1, 2021
technological expertise is involved . . . So, board members will make comments on the heat map—but it’s quite
unlikely that a fundamental debate will take place. (BM 13)
In sum, the risk categorization we observed seems to be reflective of conciliatory approaches that avert potential tensions
and produce comfort (Pezeu-Massabuau 2012). These processes promote the meaning of risk as a constant that is widely shared
within the organization. In the evidence presented above, perceptions of risk management as an endeavor where the building of
consensual comfort is prioritized are evident from the uneventful nature of the board meetings reported by our interviewees.
Two additional observations are warranted. First, the preference for generally quantitative approaches to risk categorization
and limiting the amount and/or types of risks analyzed may potentially signal a mechanistic mindset among a number of board
members (Gendron 2018; Power 2007).9 Second, that board members do not necessarily feel knowledgeable about the
organizations they oversee potentially restricts their capacity to challenge the internal processes by which risks are identified,
categorized, and managed. Knowledge deficiencies and an overall emphasis on mechanistic easy-to-apply approaches limit
opportunities for board members to experience risk management via what Pezeu-Massabuau (2012) termed discomfort by
privation, i.e., consciously and genuinely subjecting themselves to the more comprehensive, unrestricted, and far-reaching
analyses of the systemic risks. As Pezeu-Massabuau (2012, 44) noted, when discomfort is practiced not as a consequence of an
obligation (board’s formal responsibilities with regard to risk oversight) but of a genuine commitment or belief, it often carries
with it significant transformative potential, such as an acknowledgment that underlying definitions and processes of risk
management may benefit from skepticism and questioning. However, opportunities for such in-depth reflexivity may be
restricted by the boards’ focus on comfort-seeking strategies and approaches, such as by interpreting in positive terms the
apparent limitations of risk management, as we demonstrate in the following subsection.
Becoming Comfortable with the Perceived Limitations of Risk Management Technologies
In our interviews, board members did not necessarily presume the effectiveness of risk management tools. Yet we found
that the perceived deficiencies of the tools, although reflexively acknowledged by the boards, were often reinterpreted in
affirmative terms. Doubts over the capacity of risk management tools to anticipate and protect against risk were dispelled by
means of reasoning efforts designed to produce reassurance and comfort. Such exercises in comfort building, as we show
below, revolved around three streams of reasoning: (1) emphasizing the inevitability of risk exposure; (2) placing the blame on
the inadequate use of risk management tools; and (3) developing alternative approaches to compensate for the limitations of the
tools themselves.
Participants were often explicit about the extent to which risk management constitutes a complex practice. Pitfalls lurk
around every corner, threatening risk management’s effectiveness. Yet these threats and dangers—or the risks of risk
management (Power 2004; Vinnari and Skærbæk 2014)—tended to be reflexively interpreted in ways that reestablished faith.
Doubt was somehow translated into comfort:
Companies are never 100 percent risk free. No protective tools or methods can realistically cover the entire spectrum
of risks. Even when a company employs honest people and relies on the best risk management tools, external risks can
strike. Companies, however, are pretty much covered to face internal risks. From what I have seen during my career in
the field of finance, the main threat comes from external risks, not internal ones. (BM 9)
Relying on a claim of practical experience, the interviewee above acknowledged the challenges of managing external risk
while, at the same time, pointing to the seeming effectiveness of measures to protect against internal risk. Hence, they defined
the scope for success conservatively in one domain and optimistically in the other.
Some participants also took comfort in risk management by distinguishing it from crisis management. Their basic view
was that, when unforeseen risk materializes, the company’s crisis management system could reliably take over. As maintained
by BM 13, ‘‘given that we cannot anticipate everything, what is important is to have another layer of protection, that is to say an
effective crisis management process. Because we know, from the outset, that we cannot manage all risks.’’ It is therefore
reasonable to argue that being able to rely on carefully crafted backup and recovery systems in case of significant turmoil may
play a central role, overall, in developing and maintaining confidence in the risk management idea.
While acknowledging the potential shortfalls in risk management processes, some participants nonetheless were eager to
attribute those to the manner in which risk management tools, such as heat maps, are mobilized, rather than possible flaws in the
design of the tools themselves. The board member below, for example, apparently takes comfort in a belief that, with the right
emphasis (in this case, on risk optimization rather than minimization), risk management can be rendered an effective practice:
9 That being said, we recognize that a culture of quantitative enthusiasm is not prevalent in all kinds of organizations (Mikes 2011).
14 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
What you’re not looking for is risk minimization. You’re looking for risk optimization. I’ve said this so many times in
the last few years. I’ve seen boards that almost are prepared to settle for mediocrity because they overstate risk in
relation to reward. So, finding that optimum balance for a board and management is crucial . . . The aim should be
balance. It’s crucial that boards don’t lose sight of the fact that their principal role is to help a company make more
money. That’s really what the free enterprise system is all about. It’s important to have the right balance between
reward and risk. (BM 14)
Hence, while expressing doubt in the risk management process, the interviewee above also invoked the notion of balance
(between security and business growth) as a sign of comforting reassurance. That is, when mobilized in a sensible way, risk
management tools can positively assist in the achievement of organizational objectives. The interviewee in the next excerpt also
viewed balance as a model approach that they presented as challenging yet attainable. According to the interviewee, finding that
balance is akin to the art of haute cuisine:
The 2008 crisis was fueled, partially, by excessive risk management practices. From one day to the next, the risk
management indicators in financial institutions were all converging on the imperative to sell. Yet people should have
remembered that liquidation does not really work for some types of assets. Real estate, for example, typically
engenders stable profits if well managed—but liquidity is very low. Hence institutions should have been more prudent
in terms of the proportion of their investments in real estate . . . However, it’s not easy to do it given that no risk
management methodology can be shown to be always better than another. Institutions, therefore, always strive to find
the right recipe, the right combination in terms of salt, pepper, and spices. Yet the recipe changes with the type of
assets companies have. (BM 9)
Importantly, the last two interview excerpts also show that board members seek comfort through very different strategies
related to risk management tools. While some may take a somewhat bullish stance, seeing risk exposure as a concern that
should serve rather than overshadow the overarching focus on growth and wealth maximization, others take comfort in
promoting more cautionary defensive views and actions that emphasize risks as threats to be addressed first and foremost. As
such, these differences in views on the conceptual underpinnings of risk management and on the sources of comfort that can
ensue from it have practical consequences, notably by shaping perceptions of the appropriate course of action to manage risk.
In the following excerpts, board members make it clear that their feeling of comfort and confidence in the effectiveness of a
company’s risk management is founded not only on the quality of tools to manage risks but also, and perhaps more importantly,
on their faith in the organization’s risk culture.
Managing risk fundamentally depends on the organization’s culture. You know, some organizations have it in their
blood; they know how to manage risk effectively. Others do not know how to do it. In fact, risk management
effectiveness does not strictly depend on the abilities of a risk management department . . . I learned this through time:
whereas an organization may have the most efficient systems, the impact of these systems is undeniably reliant on the
integrity of the people who operate them. Are the employees honest? (BM 9)
The stuff around compensation, risk controls and . . . risk appetite. All of the improvements in setting of policies and
limits. Does that give me comfort? No, because you’re going to miss something. What gives me comfort is if I know
that there’s good risk culture in the organization. (BM 28)
These comments point to a belief that, in order to be effective, the generic risk management technologies should be
supplemented with more contextualized understandings of the organization and its environment. These understandings appear
to play an instrumental role in constructing feelings of comfort and legitimacy.
Another strategy employed by board members to become comfortable with limitations inherent in risk management tools is
the use of more informal, alternative approaches, such as personal questioning during and around board meetings. The excerpt
below illustrates how a sense of reassurance may ensue from board members learning to ask testing questions to garner
additional insights:
Many years ago, I had the opportunity to watch an experienced board member in action, whose favorite question to
management was, ‘‘What keeps on bothering you at night to the point that it prevents you from sleeping well?’’ This
question works incredibly well. For instance, I may ask the CFO, ‘‘What prevents you from sleeping at night? Is it the
company’s credit risk? Is it one of our clients which is getting too big and powerful? Is it our computerized system
which is in the process of being changed?’’ These questions allow us to check what’s going on and they’re pretty
useful in focusing our attention on things to watch for and follow up on the next meetings. Indeed, at the next meeting,
we ask, ‘‘What happened? Were there any pitfalls?’’ . . . The questions may sound quite trivial but they’re really
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 15
Behavioral Research in Accounting
Volume 33, Number 1, 2021
powerful! Every time they’re asked, they generate a meaningful discussion where people talk about things they worry
about, which we then follow up at the next meeting. (BM 4)
Overall, most of our interviewees had a relatively high degree of confidence in risk management as a collection of
workable (although not necessarily perfect) tools to help organizations survive despite significant uncertainty. The following
excerpt exemplifies these perceptions as well as a sense of historical progress and collective learning from the past. It also
points to the board members’ representations of themselves as supposedly astute, competent overseers of risk, capable of
navigating through organizational complexities.
We did not talk that much 20 years ago about risk management. We were doing risk management, but we did not
articulate very well what we were doing. Today, we talk a lot about risk management and many initiatives have sought
to define it. It is now increasingly common to find board members asking management about the methods they use to
manage risk . . . Twenty years ago, CEOs, CFOs and managers were addressing risks but not in the way in which we
view risk and risk management today. Risk management, for sure, was then not expressed and defined in ways as
fulfilling, flourishing, and formalized as today. (BM 4)
The discussion above demonstrates that, rather than causing any significant discomfort, limitations of risk technologies are
interpreted by board members as being offset by their sagacious capacities, i.e., an expectation that they are able to reduce
uncertainty by asking astute questions during board meetings. Faith in the board members’ ability to skillfully mobilize
alternative lines of thought and actions to establish a sense of controllability is important to their overall confidence that risk
management is effective.
VI. DISCUSSION AND CONCLUSIONS
The aim of our analysis was to investigate how risk management is experienced and performed at the board level. In our
interviewee accounts, risk management emerges as a concept and practice characterized by a tension between, on the one hand,
sensations of uncertainty when risks to organizational effectiveness and survival are identified and, on the other hand, feelings
of comfort and reassurance as risks are categorized and mitigating measures developed. Further, while pointing to the evident
entwinement between feelings of comfort and discomfort, our findings reveal a general emphasis on the activities and tools that
promote comfort production as boards dispense their risk oversight duties. As summarized in Figure 2, we observed a variety of
ways in which comfort heuristics are implicit in risk management practice. We have seen, for example, how comfort serves as
the ‘‘end-state’’ (Kewell and Linsley 2017, 20) in risk deliberations by the boards, whereby members consider organizational
risk management to be effective so long as they feel comfortable with the underlying processes through which it is
operationalized. Or, in the words of one interviewee cited earlier, the ‘‘wisdom’’ of risk oversight is about answering the
question, ‘‘What prevents you from sleeping at night?’’ The aim of the process is to make sure that everybody can sleep at
night—that board members are sufficiently comfortable with what organizations have done in order to make sure their risk
management ‘‘works’’ and is ‘‘appropriate.’’ Often recited within the risk management community, the insomnia question
embodies processes of comfort building, while also illustrating why the notion of comfort is of great relevance to how risk
management is articulated in practical settings.
Our analysis demonstrates how consultants and other risk management specialists play chief roles in cultivating feelings of
comfort in relation to risk management, thereby fulfilling a ‘‘psychological contract’’ (Kewell and Linsley 2017) with their
clients. This implicit contract is centered on perceptions of predictability, controllability, and manageability as outcomes
resulting from effective risk management practices and tools. The role of such specialists as ‘‘comfort givers’’ and facilitators of
organizational consensus is evident, among other things, in their efforts to promote conciliatory approaches to risk deliberations
by the boards that emphasize unity over conflict, so that critical outliers become subjugated to the perceived primacy of shared
understandings and united actions. By re-imagining risks as opportunities rather than threats (such as through the rhetoric of
risk optimization rather than minimization) and providing ‘‘exhaustive’’ technological solutions along with guidance on their
application, consultants, in effect, help construct a new, seemingly unambiguous reality where risks facing an organization can
be interpreted and managed in a relatively straightforward way. That being said, ‘‘straightforwardness’’ depends on a range of
conditions being met in terms of culture, diligence, and skill in risk management.
We have underlined how the comfort-focused underpinnings of risk management promoted by consultants and other risk
management specialists are widely accepted by board members and embedded in their practice approaches. Our interviews
show, in this regard, how board members tend to be sympathetic recipients of comfort, exhibiting, by and large, relatively high
levels of confidence in the legitimacy of risk management repertoires within their respective organizations. Interviewees
commented, for instance, that risk management specialists and their toolkits provide a sophisticated understanding of past
events and bring effectiveness to the processes by which organizations cope with the future. As Kewell and Linsley (2017, 21)
note, comfort and reassurance-giving often ‘‘hinge on an unequal power-balance, tilted in favor of the ‘giver’’’ since to seek
16 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
comfort is effectively ‘‘to acknowledge deference to the expertise, knowledge and practical wisdom acquitted [by the expert].’’
Likewise, an often low degree of familiarity with the organization’s day-to-day business or indeed with the ‘‘art of risk
management’’ may lead board members to accept and diligently follow consultants’ guidance and advice.
Another way in which comfort heuristics manifest themselves is in board member understanding of the purpose and use of
risk management tools primarily as a means of comfort building (see Figure 2). Our analysis offered assessment of particular
tools, such as ‘‘heat maps,’’ as devices that, alongside consultants and boards, have taken primary custody of comfort
production. Heat maps provide board members with an intellectual platform to oversee the organization’s risk management
despite having limited involvement in its day-to-day business. Such risk maps make visible the organization’s ‘‘risk territory,’’
i.e., a spectrum of risks at one point in time, as well as the impact of some interventions. Put differently, risk maps, in principle,
provide a formalized basis for ‘‘practiced discomfort’’ (Pezeu-Massabuau 2012) by laying bare the threats lurking within the
organization and its environment that can materialize in the future. However, our findings suggest that heat maps are mobilized
primarily in ways which convert uncertainty into comfort, such as through quantitative easy-to-apply approaches to risk
identification fostering a belief that the range of risks facing organizations is finite.
Further, we have also seen a general tendency toward comfort preservation and (re)production whereby board members
actively pursue efforts to reestablish in positive terms the perceived deficiencies of risk maps. While being well aware of the
limitations of heat maps, board members see them as being offset by their own astute abilities and actions that bring comfort.
Inter alia, these comfort-enhancing actions involve ready-to-intervene crisis management protocols and developing channels of
communication with corporate managers, such as by asking questions during board and committee meetings in order to
(re)assess the importance of key and peripheral risks. We also found that, while being able to take some distance from the first-
level results emerging from risk management tools such as heat maps, board members appear to do so in ways that do not
threaten their confidence in the insights such tools generate.
Being accepting of the perceived limitations of risk management technologies (rather than seeking to develop novel
approaches) points to the pervasiveness of comfort heuristics whereby radical shifts are rejected on the basis that they may lead
to intolerable uncertainty. Likewise, the predominantly quantitative approaches to the utilization of such technologies
mentioned earlier likely reveal a mechanistic mentality toward risk management and prioritization of practices that can be easily
justified, traced, and ultimately, quickly yield reassurance that all key risks are identified. Risk oversight, thus, manifests itself
mainly as a duty to be fulfilled, i.e., a discomfort that one practices due to an obligation (Pezeu-Massabuau 2012), rather than a
genuine quest for an in-depth comprehensive assessment of risk. In other words, mechanistic approaches leave little room for
practicing ‘‘discomfort by privation’’ (Pezeu-Massabuau 2012), whereby one takes time in order to dive into the unknown and
imagine alternative futures and scenarios, however implausible (Power 2007). As shown in Figure 2, discomfort by privation
was relatively marginal in our empirical data. As argued by Pezeu-Massabuau (2012), practicing discomfort by privation is
associated with profound uncertainty and is therefore onerous. Yet, it also has greater transformative potential, i.e., a capacity to
challenge the continued relevance of established norms and cognitive schemes. Our point is that acceptance of uncertainty and
doubt as inevitable companions of risk management in action may produce deeper understandings of risk exposure facing an
organization.
We argue that it is the observed hesitancy of the board members in embracing the uncertainty and discomfort practiced as
privation that aggravates the so called ‘‘risks of risk management’’ (Power 2004; Vinnari and Skærbæk 2014), i.e., the
likelihood that significant issues and concerns will not be picked up by the existing risk management architecture. In this
regard, our findings reveal numerically-augmented easy-to-apply approaches to the analysis of risk that, as argued by
Slagmulder (2017, 180), have ‘‘the tendency to digress away from strategic risks’’ toward more routine ones, hence restricting
scope for ‘‘deep dive’’ conversations focused on systemic existential uncertainties and challenging the underlying assumptions
behind strategic decisions. In light of these possible deficiencies, there is a need to gain more clarity on a broader range of
questions around business strategy but also organizations’ ethical objectives and priorities, such as how existing risk
management repertoires and systems address organizations’ core values, and whether some ethically sensitive issues are
potentially excluded from the scope of risk management ‘‘territories.’’
It is also plausible that board member focus on comfort makes expressions of criticism less likely. Indeed, convictions of
comfort have been said to often lead to complacency that, in turn, makes questioning and challenging such convictions more
difficult (Kawall 2006). This raises important questions that we believe should be further investigated, such as: to what extent is
the risk management discipline supportive of monolithic ways of thinking within boards? Could the ways in which risk
management is practiced within corporate boards engender bias toward more dominant assumptions at the expense of novel
thinking and impetus to innovate (Alvesson and Sandberg 2014)?
Despite the above thoughts and questions, however, we do not seek to diminish the potentially significant role that
comfort-seeking can play in the practice of risk management nor do we advocate for approaches that paint explorations of
organizations’ uncertain futures as purely pain-fraught. Comfort-seeking can produce false assurances as much as it can
stimulate new ways of thinking about risk. For example, conceptualizing risk in more positive (comforting) terms (i.e., as an
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 17
Behavioral Research in Accounting
Volume 33, Number 1, 2021
opportunity rather than merely a threat) may stimulate the development of more holistic analytical approaches, where risks are
treated as one important element in a broad-based pool of information about organizational strategy, performance, and
operations. Prior literature has already alluded to an increased likelihood of ‘‘box-ticking’’ and a ‘‘compliance trap’’ of separate
risk reporting, calling instead for a more integrated view of risk that ties together an organization’s resilience to risk and its
performance (Slagmulder 2017).
In conclusion, our study demonstrates that (dis)comfort is a core pervasive aspect of how risk management is practiced
within corporate boards. Ultimately, the value of risk oversight and what it can achieve is greatly dependent on the ability of
board members to strike an appropriate balance between the discomfort ensuing from looking into risk scenarios, and the
comforting feeling of confidence surrounding the validity of risk management process and outcomes. Future research, in
particular, may examine the extent to which the (dis)comfort dynamics we unveiled differ across organizations of different
types. For instance, a board’s size and the presence of an audit or risk management committee may play a role in how boards
practice and experience risk oversight.
REFERENCES
Abbott, A. D. 1988. The System of Professions. Chicago, IL: University of Chicago Press.
Alvesson, M., and J. Sandberg. 2014. Habitat and habitus: Boxed-in versus box-breaking research. Organization Studies 35 (7): 967–987.
https://doi.org/10.1177/0170840614530916
Arena, M., M. Arnaboldi, and G. Azzone. 2010. The organizational dynamics of enterprise risk management. Accounting, Organizations
and Society 35 (7): 659–675. https://doi.org/10.1016/j.aos.2010.07.003
Arena, M., M. Arnaboldi, and T. Palermo. 2017. The dynamics of (dis)integrated risk management: A comparative field study.
Accounting, Organizations and Society 62: 65–81. https://doi.org/10.1016/j.aos.2017.08.006
Baxter, R., J. C. Bedard, R. Hoitash, and A. Yezegel. 2013. Enterprise risk management program quality: Determinants, value relevance,
and the financial crisis. Contemporary Accounting Research 30 (4): 1264–1295. https://doi.org/10.1111/j.1911-3846.2012.01194.x
Beasley, M., B. Branson, and B. Hancock. 2010. Enterprise Risk Oversight: A Global Analysis. London, U.K.: Chartered Institute of
Management Accountants.
Beck, U. 1992. Risk Society: Towards a New Modernity. London, U.K.: Sage Publications.
Bingham, C. B., and K. M. Eisenhardt. 2011. Rational heuristics: The ‘‘simple rules’’ that strategists learn from process experience.
Strategic Management Journal 32 (13): 1437–1464. https://doi.org/10.1002/smj.965
Bodnar, G. M., E. Giambona, J. Graham, and C. R. Harvey. 2019. A view inside corporate risk management. Management Science 65
(11): 5001–5026. https://doi.org/10.1287/mnsc.2018.3081
Brivot, M., D. Himick, and D. Martinez. 2017. Constructing, contesting, and overloading: A study of risk management framing.
European Accounting Review 26 (4): 703–728. https://doi.org/10.1080/09638180.2016.1180254
Burchell, S., C. Clubb, A. Hopwood, J. Hughes, and J. Nahapiet. 1980. The roles of accounting in organizations and society. Accounting,
Organizations and Society 5 (1): 5–27. https://doi.org/10.1016/0361-3682(80)90017-3
Caldwell, J. E. 2012. A Framework for Board Oversight of Enterprise Risk. Toronto, Canada: Canadian Institute of Chartered
Accountants.
Carrington, T., and B. Catasu´s. 2007. Auditing stories about discomfort: Becoming comfortable with comfort theory. European
Accounting Review 16 (1): 35–58. https://doi.org/10.1080/09638180701265846
Christensen, M., and P. Skærbæk. 2010. Consultancy outputs and the purification of accounting technologies. Accounting, Organizations
and Society 35 (5): 524–545. https://doi.org/10.1016/j.aos.2009.12.001
Chua, W. F. 2019. Radical developments in accounting thought? Reflections on positivism, the impact of rankings and research diversity.
Behavioral Research in Accounting 31 (1): 3–20. https://doi.org/10.2308/bria-52377
Cohen, J., G. Krishnamoorthy, and A. Wright. 2017. Enterprise risk management and the financial reporting process: The experiences of
audit committee members, CGOs, and external auditors. Contemporary Accounting Research 34 (2): 1178–1209. https://doi.org/
10.1111/1911-3846.12294
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management—Integrated
Framework. New York, NY: Committee of Sponsoring Organizations of the Treadway Commission.
Empson, L. 2018. Elite interviewing in professional organizations. Journal of Professions and Organization 5 (1): 58–69. https://doi.org/
10.1093/jpo/jox010
Fareed, A. 1994. A philosophical analysis of the concept of reassurance and its effect on coping. Journal of Advanced Nursing 20 (5):
870–873. https://doi.org/10.1046/j.1365-2648.1994.20050870.x
Fischer, M. D., and E. Ferlie. 2013. Resisting hybridization between modes of clinical risk management: Contradiction, contest, and the
production of intractable conflict. Accounting, Organizations and Society 38 (1): 30–49. https://doi.org/10.1016/j.aos.2012.11.002
Furnari, S., D. Crilly, V. F. Misangyi, T. Greckhamer, P. C. Fiss, and R. V. Aguilera. 2020. Capturing causal complexity: Heuristics for
configurational theorizing. Academy of Management Review (forthcoming). https://doi.org/10.5465/amr.2019.0298
18 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
Gendron, Y. 2018. Beyond conventional boundaries: Corporate governance as inspiration for critical accounting research. Critical
Perspectives on Accounting 55: 1–11. https://doi.org/10.1016/j.cpa.2017.11.004
Gendron, Y., M. Brivot, and H. Gue´nin-Paracini. 2016. The construction of risk management credibility within corporate boardrooms.
European Accounting Review 25 (3): 549–578. https://doi.org/10.1080/09638180.2015.1064008
Gephart, R. P., Jr., J. Van Maanen, and T. Oberlechner. 2009. Organizations and risk in late modernity. Organization Studies 30 (2-3):
141–155. https://doi.org/10.1177/0170840608101474
Golden-Biddle, K., and K. Locke. 2007. Composing Qualitative Research. Thousand Oaks, CA: Sage Publications.
Gue´nin-Paracini, H., B. Malsch, and A. Marche´ Paille´. 2014. Fear and risk in the audit process. Accounting, Organizations and Society 39
(4): 264–288. https://doi.org/10.1016/j.aos.2014.02.001
Hall, M., A. Mikes, and Y. Millo. 2015. How do risk managers become influential? A field study of toolmaking in two financial
institutions. Management Accounting Research 26: 3–22. https://doi.org/10.1016/j.mar.2014.12.001
Hayne, C., and C. Free. 2014. Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management.
Accounting, Organizations and Society 39 (5): 309–330. https://doi.org/10.1016/j.aos.2014.05.002
Heaton, J. 2004. Reworking Qualitative Data. Thousand Oaks, CA: Sage Publications.
Ingley, C., and N. van der Walt. 2008. Risk management and board effectiveness. International Studies of Management & Organization
38 (3): 43–70. https://doi.org/10.2753/IMO0020-8825380302
Ittner, C. D., and T. Keusch. 2015. The influence of board of directors’ risk oversight on risk management maturity and firm risk-taking.
Working paper, University of Pennsylvania and INSEAD.
Jordan, S., L. Jørgensen, and H. Mitterhofer. 2013. Performing risk and the project: Risk maps as mediating instruments. Management
Accounting Research 24 (2): 156–174. https://doi.org/10.1016/j.mar.2013.04.009
Jordan, S., H. Mitterhofer, and L. Jørgensen. 2018. The interdiscursive appeal of risk matrices: Collective symbols, flexibility normalism
and the interplay of ‘‘risk’’ and ‘‘uncertainty.’’ Accounting, Organizations and Society 67: 34–55. https://doi.org/10.1016/j.aos.
2016.04.003
Jørgensen, L., and S. Jordan. 2016. Risk mapping: Day-to-day risk work in inter-organizational project management. In Riskwork: Essays
on the Everyday Life of Risk Management, edited by M. Power, 50–71. Oxford, U.K.: Oxford University Press.
Kamla, R., and N. Komori. 2018. Diagnosing the translation gap: The politics of translation and the hidden contradiction in
interdisciplinary accounting research. Accounting, Auditing & Accountability Journal 31 (7): 1874–1903. https://doi.org/10.1108/
AAAJ-08-2017-3067
Kawall, J. 2006. On complacency. American Philosophical Quarterly 43 (4): 343–355.
Kenno, S. A., S. A. McCracken, and S. E. Salterio. 2017. Financial reporting interview-based research: A field research primer with an
illustrative example. Behavioral Research in Accounting 29 (1): 77–102. https://doi.org/10.2308/bria-51648
Kewell, B., and P. Linsley. 2017. Risk tools and risk technologies. In The Routledge Companion to Accounting and Risk, edited by M.
Woods and P. Linsley, 15–27. London, U.K.: Routledge.
Laguecir, A., and B. Leca. 2019. Strategies of visibility in contemporary surveillance settings: Insights from misconduct concealment in
financial markets. Critical Perspectives on Accounting 62: 39–58. https://doi.org/10.1016/j.cpa.2018.10.002
Leech, T. 2012. Risk oversight: Is it ‘‘broken’’? What are the new expectations? The EDP Audit, Control, and Security Newsletter 45 (4):
1–11. https://doi.org/10.1080/07366981.2012.680331
Lincoln, Y. S., and E. G. Guba. 1985. Naturalistic Inquiry. Newbury Park, CA: Sage Publications.
Malsch, B., and S. E. Salterio. 2016. ‘‘Doing good field research’’: Assessing the quality of audit field research. Auditing: A Journal of
Practice & Theory 35 (1): 1–22. https://doi.org/10.2308/ajpt-51170
Mikes, A. 2009. Risk management and calculative cultures. Management Accounting Research 20 (1): 18–40. https://doi.org/10.1016/j.
mar.2008.10.005
Mikes, A. 2011. From counting risk to making risk count: Boundary-work in risk management. Accounting, Organizations and Society 36
(4-5): 226–245. https://doi.org/10.1016/j.aos.2011.03.002
Miller, P., L. Kurunma¨ki, and T. O’Leary. 2008. Accounting, hybrids and the management of risk. Accounting, Organizations and Society
33 (7-8): 942–967. https://doi.org/10.1016/j.aos.2007.02.005
Mitterhofer, H., and S. Jordan. 2016. Imagining risk: The visual dimension in risk analysis. In Routledge Handbook of Risk Studies, edited
by A. Burgess, A. Alemanno, and J. Zinn, 318–334. London, U.K.: Routledge.
Organisation for Economic Co-operation and Development (OECD). 2014. Risk Management and Corporate Governance. Paris, France:
OECD Publishing.
Patton, M. Q. 1990. Qualitative Evaluation and Research Methods. Newbury Park, CA: Sage Publications.
Pentland, B. T. 1993. Getting comfortable with the numbers: Auditing and the micro- production of macro-order. Accounting,
Organizations and Society 18 (7-8): 605–620. https://doi.org/10.1016/0361-3682(93)90045-8
Pezeu-Massabuau, J. 2012. A Philosophy of Discomfort. London, U.K.: Reaktion Books.
Pollock, N., and L. D’Adderio. 2012. Give me a two-by-two matrix and I will create the market: Rankings, graphic visualisations and
sociomateriality. Accounting, Organizations and Society 37 (8): 565–586. https://doi.org/10.1016/j.aos.2012.06.004
Power, M. 1997. The Audit Society: Rituals of Verification. Oxford, U.K.: Oxford University Press.
Power, M. 2004. The Risk Management of Everything: Rethinking the Politics of Uncertainty. London, U.K.: Demos.
Making Sense of Risk Management as a (Dis)Comfort-Inducing Practice 19
Behavioral Research in Accounting
Volume 33, Number 1, 2021
Power, M. 2007. Organized Uncertainty: Designing a World of Risk Management. Oxford, U.K.: Oxford University Press.
Power, M. 2009. The risk management of nothing. Accounting, Organizations and Society 34 (6-7): 849–855. https://doi.org/10.1016/j.
aos.2009.06.001
Power, M., and Y. Gendron. 2015. Qualitative research in auditing: A methodological roadmap. Auditing: A Journal of Practice & Theory
34 (2): 147–165. https://doi.org/10.2308/ajpt-10423
Purcell, E. A. 2016. Capitalism and risk: Concepts, consequences, and ideologies. Buffalo Law Review 64: 23–59. Available at:
digitalcommons.nyls.edu/cgi/viewcontent.cgi?article¼1432&context¼fac_articles_chapters
PwC. 2019. The Collegiality Conundrum: Finding Balance in the Boardroom. PwC Annual Corporate Directors Survey. London, U.K.:
PwC.
Sarens, G., I. De Beelde, and P. Everaert. 2009. Internal audit: A comfort provider to the audit committee. The British Accounting Review
41 (2): 90–106. https://doi.org/10.1016/j.bar.2009.02.002
Schaefer, S. M., and M. Alvesson. 2020. Epistemic attitudes and source critique in qualitative research. Journal of Management Inquiry
29 (1): 33–45. https://doi.org/10.1177/1056492617739155
Slagmulder, R. 2017. Risk reporting to the board of directors. In The Routledge Companion to Accounting and Risk, edited by M. Woods
and P. Linsley, 172–186. London, U.K.: Routledge.
Solomon, I., and M. D. Shields. 1995. Judgment and decision-making research in auditing. In Judgment and Decision-Making Research
in Accounting and Auditing, edited by R. H. Ashton and A. H. Ashton, 137–175. Cambridge, U.K.: Cambridge University Press.
Spira, L. F., and M. Page. 2003. Risk management: The reinvention of internal control and the changing role of internal audit. Accounting,
Auditing & Accountability Journal 16 (4): 640–661. https://doi.org/10.1108/09513570310492335
Sturdy, A. 1997. The consultancy process—An insecure business? Journal of Management Studies 34 (3): 389–413. https://doi.org/10.
1111/1467-6486.00056
Tekathen, M. 2019. Unpacking the fluidity of management accounting concepts: An ethnographic social site analysis of enterprise risk
management. European Accounting Review 28 (5): 1–34. https://doi.org/10.1080/09638180.2019.1575759
Tekathen, M., and N. Dechow. 2020. Semantic narrowing in risk talk: The prevalence of communicative path dependency. Management
Accounting Research 48: 1–18. https://doi.org/10.1016/j.mar.2020.100692
Themsen, T. N., and P. Skærbæk. 2018. The performativity of risk management frameworks and technologies: The translation of
uncertainties into pure and impure risks. Accounting, Organizations and Society 67: 20–33. https://doi.org/10.1016/j.aos.2018.01.
001
Vinnari, E., and P. Skærbæk. 2014. The uncertainties of risk management: A field study on risk management internal audit practices in a
Finnish municipality. Accounting, Auditing & Accountability Journal 27 (3): 489–526. https://doi.org/10.1108/AAAJ-09-2012-
1106
Viscelli, T. R., D. R. Hermanson, and M. S. Beasley. 2017. The integration of ERM and strategy: Implications for corporate governance.
Accounting Horizons 31 (2): 69–82. https://doi.org/10.2308/acch-51692
Waller, W. S. 1995. Decision-making research in managerial accounting: Return to behavioral-economics foundations. In Judgment and
Decision-Making Research in Accounting and Auditing, edited by R. H. Ashton and A. H. Ashton, 29–54. Cambridge, U.K.:
Cambridge University Press.
Woods, M., and P. Linsley. 2017. The Routledge Companion to Accounting and Risk. London, U.K.: Routledge.
20 Gendron, Samsonova-Taddei, and Gue´nin
Behavioral Research in Accounting
Volume 33, Number 1, 2021
Copyright of Behavioral Research in Accounting is the property of American Accounting
Association and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.