Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Regulation Best Practice > Why Organizations Need to be Regulated—Lessons from History

Regulation Best Practice

Why Organizations Need to be Regulated—Lessons from History

by Bridget Hutter

Table of contents

Executive Summary

  • Organizations both create and manage risk on a global scale, but their capacities to manage risk vary enormously.

  • Since the origins of crises in organizations are well-documented, anticipating risks and preparing for their control have become an essential part of risk regulation regimes.

  • Regulation, which is often formulated in response to a crisis, targets the risks that organizations can pose to the stability of the macroeconomy, to fair competition, and to consumer protection.

  • Typically regulation is state-based, but there has been a move to include transnational organizations.

  • Regulation is about managing risk, not elimination of the underlying activities.


As far back as the Middle Ages, history provides plenty of lessons on the effects of the failure of financial institutions, of consumer ignorance being exploited through the sale of inappropriate securities, pension plans, and mortgages, and of high and opaque charges for financial products and services. Arguably, regulation has become imperative today, given the increasingly transnational nature of financial markets. Another factor is the growth of large multinational organizations, now possibly more powerful than some nations. They pose particular risk and regulatory problems because they can both create and manage risks, sometimes on a global scale. Crises can have catastrophic effects nationally and internationally. Anticipating risks and organizing for their control have thus become an integral part of risk regulation regimes, which aim to influence the risk management practices of organizations. Their objectives are to make sure that organizations give high priority to risk management, to shape motives and preferences, and to influence organizations’ objectives and practices accordingly.

Organizations and Risks

The capacities of financial organizations to identify and manage risks vary according to many factors. Financial organizations are often reliant on risk modeling, which itself relies on the availability of good quality data. But the past is not always a good predictor of the future (particularly where data are drawn from a period of benign economic conditions), and data may be incomplete, poorly collated, and historically limited. Moreover, staff will vary in their ability to interpret these data. Organizations need to be open to identifying new risks and understanding that circumstances and personnel change, and these may well change the risks an organization faces. Stress testing—assessing the potential impact of alternative scenarios—can usefully supplement risk modeling by introducing risks that may not be evident from past data. Organizations tend to run these stress tests by assuming that the shocks are specific to them rather than systemwide, and they find it difficult to translate the results into positive action. They may fail to recognize that specific shocks can generate contagion and other externalities. These are some of the lessons of 2007, when liquidity dried up across the financial system. Risk modeling had been undertaken in a period of economic optimism and firms overestimated their ability to identify and control the risks associated with the innovative new products they were developing.

The routines and practices of different groups and people within the organization also require consideration. For example, risk-taking may be made to seem normal, or it may be unwittingly incentivized, as in the Barings and Société Générale cases. Or organizations may deny the severity of a risk and thus inhibit their ability to deal with underlying problems. This is typically done by blaming individuals or part of an organization for something that is much more systemic and dangerous. Again, the Barings case is illustrative—the rogue trader was blamed and the responsibility of the organization in permitting and supporting his risky activities were initially ignored. Remuneration incentives based on short-term sales performance are an integral part of the rogue traders’ stories. The 2007–09 crisis has continued to demonstrate that the excessive risk-taking such bonuses can incentivize has not led to organizations learning lessons.

The organizational origins of crises are well documented. In 1984 Charles Perrow coined the term “normal accidents” to emphasize the inevitability of something going wrong.1 He focused on complex systems where the interaction of unexpected multiple failures can lead to catastrophe, this being most likely where the system is tightly coupled and has no slack to cope with such eventualities. Opinions differ about organizations’ ability to prevent and contain risks, but most agree that large, complex, transnational organizations give rise to distinctive difficulties of risk detection, proof, responsibility, and power. This is well exemplified by the cases of AIG and UBS in 2008, where varying risk management practices in different parts of their transnational organizations led to financial crisis. One commentator remarked “AIG has 125,000 employees. Basically, 80 of them tanked the firm.”2

Back to Table of contents

Further reading


  • Braithwaite, John, and Peter Drahos. Global Business Regulation. Cambridge, UK: Cambridge University Press, 2000.
  • Hutter, Bridget, and Michael Power (eds). Organizational Encounters with Risk. New York: Cambridge University Press, 2005.
  • MacKenzie, Donald. An Engine, Not a Camera: How Financial Models Shape Markets. Cambridge, MA: MIT Press, 2008.
  • Sparrow, Malcolm K. The Character of Harms: Operational Challenges in Control. New York: Cambridge University Press, 2008.
  • Taleb, Nassim Nicholas. The Black Swan: The Impact of the Highly Improbable. London: Penguin Books, 2008.


  • UBS. “Shareholder report on UBS’s write-downs.” April 18, 2008. Online at: [PDF].


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share