Roles of Risk Managers: Understanding How Risk Managers Engage in Regulation

Inside companies that produce significant risks, risk managers play a key role. They manage the connection between the risk regulation regime, which stresses public values, and the company, which pursues a broader array of organisational goals. This makes the role of risk managers ambivalent. To better understand this ambivalence and identify the means, motives and strategies that risk managers employ in response to this ambivalence, this article conducts a concise review of (classic) organisation and regulatory literature. Based on this review, we propose a typology that distinguishes four roles of risk managers: risk managers as supporting staff; risk managers as professionals; risk managers as boundary spanners; and risk managers as agents in regulatory communities. Each type subsequently describes how risk managers employ different strategies in their attempt to connect the risk regulation regime and the company, ie translating policies to practices, tailoring policies to practices, explaining and framing policies and practices, and (re)interpreting policies and practices together with regulators. The typology enables researchers and practioners to emphasise and more thoroughly analyse the variety and complexity of risk managers’ work, and can help regulators to broaden and fine-tune their strategies to improve connections with the various roles of risk managers.


I. RISK MANAGEMENT AS A CONTINUOUS BALANCING ACT
The self-regulation of risk management has become an essential element in public regulatory policies in the western world, as part of the "shift from government to governance". 1 The responsibility of regulated industries to manage risks themselves is considered a core element in many regulatory frameworks initiated by governments. Many regulatory policies assume or require that organisations manage their risks as part of a wider development in the direction of process-based regulatory arrangements. 2 Private companies are thus expected to account for risk management, implying a conscious and explicit risk assessment and risk mitigation strategy, thereby increasingly incorporating not just coporate but also broader societal values and interests. 3 Risk management is defined here as a "process Tof reducing the risks to a level deemed tolerable by society and to assure control, monitoring, and public communication". 4 Risk managersthose responsible inside companies for executing the process of risk management via which companies manage risksthus find themselves in a unique position between government regulation and the daily operations of the organisation. On the one hand, risk managers manage expectations from the environment, including compliance with government regulations. They meet government representatives, usually in the form of public regulators and inspectors. On the other hand, they act within a complex organisation to manage risks. They are members of an organisation, which may simultaneously aspire to different values than those held by government. This makes the risk manager's position an ambivalent one. 5 Risk managers have to connect and balance public (governmental) and private (organisational) interests. If the expectations of the environment and the daily conduct within the organisation diverge, the position of risk managers becomes dilemmatic. 6 As the political and regulatory importance of risk management in private industries increases, the balancing act that is required of risk managers becomes increasingly relevant to anyone interested in public safety.
This ambivalence is a core theme in regulatory literature on risk management. Lenglet describes risk managers as "double agents". 7 He specifies this ambivalence by listing the tasks of the risk manager: enacting rules, training employees, monitoring safety performance, advising operators and lobbying. Risk managers actively help to implement regulations and at the same time lobby on behalf of the organisation to regulators or politics for more favourable regulations. Beaumont et al signal that safety officers do not have a particularly easy or simple task and find it problematic to simultaneously combine their roles as independent internal agents from "outside" regulators and advisors to the authority of managers. 8 Weait notes that compliance officers have a somewhat schizophrenic job to articulate the business case for compliance with "turning law into profit". 9 Recent insights in literature suggest that risk managers employ complex behaviour, and engage with people inside as well as outside company boundaries in various ways. 3  . We use a broad definition of "risk management" here. As organisations are diverse, risk managers may be called by different names in different organisations. Depending on the type of risks or the application field, they may be called Chief Risk Officers, Safety Managers, Health & Environment Managers, etc. "Risk managers" in this contribution are held responsible for managing a specific issue (ie environment, safety, financial risk) which affects (a) public value(s) and potentially harms both the organisation and society. 5 M Lenglet, "Ambivalence For example, Palermo et al argue that risk managers cope with the conflicts inherent in their work in different ways. Individual risk managers use and draw upon "different logics, or part of their underlying practices", in response to the institutional complexity they encounter in their function. 10 Lim et al reach similar conclusions in a study which focuses on relations between risk managers and line managers. 11 According to Jarzabkowski et al, risk managers display changing attitudes and responses to simultaneously contribute to organisational and regulatory goals. Furthermore, risk managers are engaged in a continuous struggle to "compete for managerial attention", and endeavour to convince line managers to actually "use their methods of defining, measuring and representing the business environment". 12 To attain their goals, risk managers need to master different modes of operation, and to be able to engage in a variety of interpersonal connections and develop a set of tools suited to the particular circumstances. 13 Important as these findings are to understanding the functions of corporate risk managers, and the fact that much variation exists in how risk managers perform their task, they do not result in a systematic insight in how risk managers connect risk-based regulatory regimes with coporate objectives and interests.
We seek to characterise how risk managers connect inside and outside interests via risk management. This contribution is a first attempt to do so, and uses different strands of literature to identify and characterise the various motives, means and strategies of risk managers towards regulators. Organisational literature is used to increase our understanding of the roles risk managers play inside corporations. Knowledge about the roles of organisational specialists, wholike risk managersconnect company and outside interests are described as well as insights about organisational members who work on the "boundaries" between the organisation and the outside world. A second strand risk regulation and risk governance literature focuses on the attitudes of risk managers towards societal efforts to influence the company. To systematically understand how different means, motives and strategies affect the attitude of risk managers towards regulation, both bodies of literature are combined, which results in a typology of risk manager roles.
The catalogue of potentially relevant literature in the fields of organisation studies and risk governance and risk regulation literature is obviously huge. To keep this contribution concise and readable it was decided to pre-structure our literature review in four separate sections, which identifies the following roles of risk managers as connectors between the corporation and safety regulators. These are: the risk manager as support staff: in the 1960s and 1970s theories emerged about organisations as a collection of subunits, each with its own interests. Risk managers are rarely explicitly mentioned in this literature, but we can reflect on what these theories mean for the position of risk managers when they are perceived as organisational support staff; 14 the risk manager as a professional: if one perceives risk managers as organisational professionals, literature emphasises the complexity of the job and the multiplicity of values involved, such as professional and managerial values; 15 the risk manager as a spanner of boundaries: risk managers operate near organisational boundaries, between the corporation and its environment.
Organisation studies characterise risk managers as "boundary spanners". Theories of boundary spanning specifically reflect upon the relation between risk managers as organisational members and regulators as external parties; 16 the risk manager as regulator: theories on risk governance explicitly focus on (the management of) risks. It assumes this focus is a central concern for all stakeholders, including risk managers and regulators. In doing so, this literature identifies differences and similarities between risk managers and regulators. Risk managers are perceived as agents within a regulatory community. 17 Each subsequent section explores the relevant theories and describes their impact on the means, motives and strategies of risk managers. The resulting typology is described in section VI. Section VII discusses the consequences of our exploration for risk regulation, and the relation between risk managers and their regulatory environment.

II. THE RISK MANAGER AS SUPPORT STAFF
A starting point to gain insights on the role of risk managers can be found in organisation theory. This literature focuses on formal and informal positions of employees within an organisation. Risk managers are not traditional line managers, because they are not responsible for primary organisational processes. They have an advisory function and are generally considered as, and assigned to, a staff position in the organisation. That being said, the advice of risk managers can have far-reaching consequences that can considerably affect primary processes. Classic organisation theory primarily focuses on the internal organisation, and argues that within an organisation, interaction takes place between a wide variety of different organisational parts, of which risk management is only one, albeit an important one. From this perspective, four observations enable us to describe "risk management" staff functions, and understand its attitude towards regulators, as well as the processes that govern the relation between organisation and regulator.

A unit with its own preferences and objectives
A core assumption of organisational theory is that key participants in organisations do not resemble a unitary hierarchy or organic entity, but a loosely linked coalition of interest groups. 18 An organisation is portrayed as a dynamic coalition of interest groups. Each group attempts to obtain something from the collective by interacting with others, each having its own preferences, objectives and shifting allegiances. 19 Mintzberg distinguishes different types of organisational units, with fundamentally different mindsets, strategies and responsibilities towards the primary process. 20 Top management tends to centralise, technostructure tends to standardise and formalise, and the operational core tends to professionalise. Each organisational unit has its own power sourcesuch as authority, information, access to clientsand uses its position in the coalition to seek opportunities to push and pull the organisation towards its own ideal.

Adding rationality via standardisation
According to classic organisational literature, risk managers are "technostructure"as well as a specific form of support staff. As support staff, risk managers analyse and improve the primary process, as well as engage in risk mitigation. Technostructure imposes order and "control" over organisational processes via detailed methods and models that analyse risk (including risk matrices and bow tie models), and risk management systems. Operators provide information for these analyses. Risk managers use this information to advise managers to subsequently recognise and account for the identified risks, andif those are found criticalinitiate policies to mitigate them.
Pfiffner observes that staff managers prefer an administrative rationality that takes into account facts relative to emotions, politics, power, group dynamics, personality and mental health. 21 Mintzberg states that support staff analytical techniques, interpreted here as risk management techniques, "institutionalise" the job of the line manager, and remove responsibility for control and decision making from the line manager. In this way, risk management supports alignment and coordination of organisational subunits with more important organisational goals. Formal systems are used to drive this process. 22 Support staff risk managers advocate and push for increased use of technocratic systems, to the detriment of the line manager's personal responsibilities, but also to that of operational routines that are not formalised in any system.

Limiting the autonomy of operators
Support staff can become notoriously powerful in efforts to impose analytics and standards onto the organisation. The source of power from support staff is derived from a line manager, who is formally responsible for the primary process. The means risk managers as support staff employ is standardisation. As an extra power feature, support staff can move freely within the organisational hierarchy, and may uncover inefficiencies and incompetencies in the relations between various departments. 23 The focus on standards and procedures reduces the autonomy of operators, 24 and limits the potential for innovation and change. 25

Risk managers as support staff: implications for means, motives and strategies
The risk manager as support staff focuses on its managerial role in the corporation. The biggest asset of the risk manager is the "licence to standardise", a mandate from top management to implement and manage procedures and systems that encompass the work of every employee and department. The more this mandate is being taken seriously, the more discretionary freedoms of those affected by these procedures become limited. As for motives, risk managers as support staff seek to add rationality to decision making in organisations, which includes for example efforts to streamline the decision making process. The consequence is that relations between risk managers and organisational units, as well as between organisational units, are affected. The relations with regulators are less well articulated since classic organisational literature primarily focuses on relations inside the organisation, rather than on the role of regulators. We argue that regulators are considered as part of the organisational environment. As such, they provide additional arguments and motives for more risk standards for risk managers. This may happen, for instance, if risk analysis or risk management systems are imposed, or if a threat of future regulation becomes apparent. If the regulator demands new, complicated methods and systems to manage risks, the broader environment becomes an important source of knowledge that risk managers can monopolise. In that case, risk managers act as "technical gatekeepers", connecting the organisation to important sources of external information. 26 In these instances, the regulator becomes a source of information and instruction. The risk manager's job then is to translate the external sources into guidelines and procedures that can be applied in practice by employees within in the organisation. The regulator thus becomes source of power which risk managers use to impose order onto the organisation. On a less political note, regulations are translated into organisational procedures already in place. This is a relatively passive, technocratic effort. 23

III. THE RISK MANAGER AS PROFESSIONAL
The job of a risk manager can be seen as a practice that requires specific technical and managerial skills, and experience. It requires bringing together knowledge and skills on legal, technical, and business issues, among others. These issues often come from different fora, like regulators, line managers, (other) staff managers, clients, etc. Both their knowledge and their position among these actors make these professionals unique. Two classic bodies of literature from organisation science cover each an aspect of this unique position: the one on professionalism and the one on value conflict.

Professionalism: a unique source of knowledge
Professionals work relatively autonomously, and have certain freedoms to determine the content and organisation of their work. 27 They control their own work because of their special skills and knowledge. As professionals, risk managers can be considered an exclusive occupational group who apply relatively abstract knowledge to particular cases. 28 Like any profession, risk management comes with its own logic, experience, basic assumptions and set of norms. These can compete with those of other professions or with managers within the organisation. The professional logic is rooted in the complexity of the job. Complexity may lead to a certain exclusivity: only the professional knows how to deal with it, and it would be better to leave the job to the professional without interference from others. Professionals use various instruments to protect this exclusivity, though their knowledge-base, and organisational discourse as well as via the use of jargon. 29 Risk management concepts and tools can become complicated to people outside the profession of risk managers, including line managers, operators and sometimes even regulators. As professionals, risk managers have the autonomy to follow their own aesthetics to do their jobs unless they are confronted by counterplay from these groups.

Value conflict as a main source of complexity
What, then, is this complexity? As stated before, the position of risk managers as linking pin between regulators and organisation is unique. They have to cope with conflicts between public values and organisational values. For example, requirements for public values such as "sustainability" or "safety" which are set by the regulator need to be aligned with important organisational valuesincluding serving clients and efficiency for staying competitive. Societal values, which are expressed at high levels of abstraction, are easily reconcilable, and less in conflict with organisational values. However, this changes once these values are operationalised towards a specific end. "Value conflict is always a problem of practice", according to Thacher and Rein. 30 Indeed, conflicts tend to remain intangible until values are concretised infor examplesafety norms. Romzek and Ingraham argue that individuals in organisations operate in "a web of accountability relationships that represent several different behavioral standards against which their performance can be judged". 31 They distinguish four sources of control: external sources, which are political and legal, and internal sources, which are hierarchical and professional. As a result of these sources of control, professionals "can get caught between the cross pressures of initiative and command". 32 Value conflicts can become painful in the workplace, and as such heavily affect and influence the role of the risk manager.

Coping with competing values
How do professionals cope with value conflicts? Lipsky's study of public "street-level bureaucrats" was the first to identify and describe professional coping responses to value conflicts. 33 Professionals employ numerous strategies such as for example "rationing," and "routinisation," as well as discretionary judgment to reconcile seemingly conflicting requirements to perform their jobs. Every professional, and in this case risk managers, employs strategies to reconcile values and deal with tensions between professional judgment and management policies and rules to manage their practical work.

Risk managers as professionals: implications for means, motives and strategies
As risk management became a profession of its own, risk management became too complex to understand immediately by all those working inside the company; the jargon became impenetrable, increasingly new and more complex risk management tools, and elaborate procedures are required to provide proof of being "in control". Literature on professionalism stresses how this process leads to exclusivity of those who know and can analyse complex systems. This exclusivity protects the means and knowledge of professionals. Literature on value conflicts describes some of the complexities inherent in the position of of risk managers as professionals. It does not explicitly consider the relation between professionals and regulators. Coping with value conflicts is thus predominantly studied in the domain of the professional.
Although the values with which professionals wrestle may very well be those of regulators, these regulators are seldom considered as relevant actors in this literature. However, regulators have the potential to add to the complexity of the situation professionals are coping with. Nonetheless, the professional's perspective assumes risk managers are reactive rather than proactive. Competing values are simply considered a fact of life; they are "thrust" upon professionals; they are considered given. It is the risk professional's job to use their discretionary freedoms to connect policies to practices, and practices to policies, so that value conflicts are managed. 31  This job is a complex one, and this complexity provides risk managers with the autonomy to define and operate complex risk management systems.

IV. THE RISK MANAGER AS BOUNDARY SPANNER
"Coping" has a relatively passive connotation. As already noted, support staff may act as "technical gatekeepers", being the natural inlet for technical instructions with which organisations have to comply. It is as if risk managers are making the best of a situation that is defined outside their professional domain. However, risk managers may also influence their environments in a more proactive way. Risk managers can act as so-called "boundary spanners", situated at the boundaries between the organisation and its environment. This strategic position has attracted the attention of both organisational theorists and regulatory scholars. Literature on "boundary spanning" focuses on the organisational borders. Who is managing the boundaries? And how does this happen?

Managing the coupling between policies and practices
Organisations are highly motivated to secure enough stability and certainty to be able to function efficiently and effectively in environments that contain unknowns and uncertainties. 34 Regulators are part of this environment, and can also be considered as a source of uncertainties, or even friction, for organisations. To align the demands of both the organisational world and the outside world, in terms of risk taking, organisations specifically employ strategies that seek to influence the environmental sources of safety demands, such as bargaining and co-optationfor instance the incorporation of representatives of external groups in decision-making. 35 Additionally, buffering strategies are used, which shield the operational core from the environment, so that the operating activities can be protected. "Boundary spanning units" play a central role in this perspective, since they directly face the environment and deal with its uncertainties. 36 Risk managers operate at the interface between regulators and the organisation. Risk managers as boundary spanners have the means (eg knowledge and contacts) to align the organisation with the regulators and manage the couplings between policy and practice within the organisation. Formal policy may require the implementation of risk management systems and risk analysis tools. The managing of couplings may also involve the translation and/or framing of organisational practices to outsiders such as regulators.
2. The effect of regulation on the coupling between policies from practices of risk managers. Orton and Weick predict that the more organisations are forced to implement certain policies, the more questionable it becomes whether these policies are in fact put into practice. Allowing more difference between formal organisational policies and practices is called "loosening coupling" 37 or "decoupling". 38 Meyer and Rowan argue that an increased need to be accountable and transparent in many organisations results in organisational "decoupling" between what organisations formally account for and what they are actually doing. 39 Governments are said to significantly use their formal authority to promote the use of risk management. 40 They commonly require organisations to implement risk management systems, and risk management tools, with the aim of facilitating the selfregulatory capacity of organisations and facilitating communication about risks. 41 This drives organisations to implement risk management systems and suggests that rationality prevails in how organisations decide about (the management of) risks. This trend suggests that loose coupling may be inevitableeven functionalfor an organisation from a risk managerial perspective, especially when expectations from the external environment increase. It protects the organisation's operational core from the dynamics and "idealisation" of "external" policy demands and political requests. 42

An assumed loyalty to the organisation
The assumed necessity to shield operators from the environment implies hostility towards the environment. Boundary spanning literature assumes boundary spanners primarily seek to accomplish organisational, managerial goals. The role of the boundary spanner thus differs fundamentally from the role of the risk professional who is primarily oriented towards professional values. Boundary spanners are considered loyal to the organisation and its survival in a competitive environment. Loose coupling is a negative threat to the environment, including the regulator's perspective. It poses a threat to the environment, especially to those who want to oversee practices of risk management, such as regulators and inspectors.

Risk managers as boundary spanners: implications for means, motives and strategies
The means of a risk manager as "boundary spanner" are essentially his/her strategic position at the interface between regulators and the internal organisation. This position enables the risk manager to obtain a relatively autonomous position by virtue of the strategic ties he/she builds within the organisation and with its environment. Unlike risk managers as support staff and professionals, boundary spanners see an active role for themselves to influence regulation and its effects on the organisation. Indeed, influencing regulation and its effects for the organisation is considered an important part of their jobs. Boundary spanners play a political game between regulators and the organisation, using their skills and means to mitigate the effects of regulation if these are found to conflict with those of the organisation. For the risk manager as boundary spanner, information on policies and practices provides the means to manage the organisation and the environment. Reporting policies and practices consists not just of technical reporting, but is also considered from a marketing perspective. Risk managers are in a position to frame organisational policies and practices strategically to the environment. At the same time risk managers may frame regulations as urgent to reinforce their position within the organisation.

V. THE RISK MANAGER AS PART OF A REGULATORY COMMUNITY
Considering risk managers as part of a regulatory community takes the idea of risk managers as boundary spanners one step further. Literature on regulatory communities stresses collaboration over conflicts and differences. It focuses on the effectiveness of regulation rather than the effectiveness of organisations. To achieve effectiveness, interaction and learning between regulators and those in the corporation who are responsible for complianceand these include risk managersis considered vital. Risk regulation literature considers regulation as a learning process, is more prescriptive and has a far more positive outlook towards organisations. 43

A horizontal relationship between regulator and risk manager
The idea that risk managers and regulators are part of a regulatory community contrasts sharply with the perspectives of risk managers focusing on decoupling and boundary spanning. The relationship between regulator and risk manager in risk governance is considered to be harmonious, networked and horizontal rather than hierarchical and potentially conflicted. 44 Although regulators and risk managers hold different positions and affiliations, both share similar values and a basic understanding of the meanings and goals of regulatory action. 45 Risk governance literature stresses the importance of communication and trust within and across organisations, and argues that risk-related processes are delicately interconnected and potentially conflicting processes. 46 Quality of knowledge is identified as an essential feature of risk governance, which consists of principles such as "good knowledge", communications and trust. 47

Risk governance as an inter-organisational feature
An important principle in risk governance is "inclusion", ie the involvement of interested and affected stakeholders in collective decision making about risk. Inclusion promotes coping with uncertainty, complexity, and ambiguity. 48 It also promotes democracy, social robustness, and social learning. 49 The literature on risk governance is inter-organisational in nature yet it rarely specifies risk governance processes across the public-private divide, ie between risk managers and regulators. Parker states that "Regulators must rely on a regulatory community in which regulators, compliance professionals, and other affected parties together work out standards for compliance, with regulators maintaining the crucial task of meta-evaluation". 50 In other words, risk managers are assumed to convince other organisation members to incorporate and align the external value with the organisational values. Moreover, it is assumed that "regulatory messages are communicated into a world of shared bonds and shared understandings in which companies can effectively respond to regulatory signals, and the parties deliberate effectively about their response to them, which, in turn, creates shared commitments to regulatory goals". 51

Regulators and risk managers joining up for interpreting regulation
Although the relation between risk managers and regulators is considered a dual one, risk governance literature assumes a common ground will result from interaction. At the same time risk managers are assumed to be "streetwise" 52 and, as such, willing to compromise with corporate, often commercial, values. In other words: deliberations between risk managers and regulators will be more about the "how" than the "what". Risk managers and regulators are partners when discussing regulatory goals, whereas the "how" will be the subject of deliberations and interpretations by both risk managers and regulators. Both policies and practices of the risk managers' industry are conditioned by regulations, as they are input for regulatory change at the same time.
Policies, practices and regulation will be subject to joint interpretations and reinterpretations. Gilad emphasises the same element of this interpretation process by introducing the concept of "regulatory meaning co-construction". 53 Regulators both anticipate and react to the way compliance professionals frame regulations. The idea of joint interpretation and reinterpretation of regulation sounds idealistic, but is meant to complexify the motives of risk managers (and regulators) away from simplistic caricatures as self-interested actors. However, literature on regulatory communities primarily describes the relationship between these groups from the perspective of the regulator.

Risk managers as part of a regulatory community: implications for means, motives and strategies
Like the boundary spanner, the risk manager as part of a regulatory community has a unique strategic position between the organisation and the regulatory environment. Moreover, literature on risk governance also stresses the unique knowledge of risk managers. It is this knowledge that facilitates cooperation between risk managers and regulators. Both groups use the same language and understand the complexities of their jobs. Compared to boundary spanning literature, risk governance literature Active, cooperative, regulator as part of a professional alliance Joint (re)interpretation of policies and practices focuses more on the substance of the interaction with the regulator, the so-called "regulatory conversations". Like boundary spanners, risk managers as regulators actively influence regulation and its effects on the organisation. They actively engage in interactions with regulators to shape regulations and their consequences. As part of an assumed regulatory community, the risk manager collaborates with regulatorsas fellow-professionalsand they jointly (re)interpret policies and practices. Table 1 summarises the four profiles which result from the literature study, and which support the identified roles of risk managers.

VI. A TYPOLOGY OF RISK MANAGERS
Two dimensions enable us to distinguish the four roles of risk managers and their attitudes towards regulation more crisply.
Attitudes towards regulations: from passive to (pro-)active. The roles of the risk manager as professional and as support staff that we have identified both take the existence of regulations for granted. These regulations are defined by institutions outside the corporation, that lie beyond the risk manager's influence. In these roles, regulations are considered a given. Literature on support staff does not even consider the role of a regulator, outside the organisation. Instead, it focuses on the role of the risk manager inside the organisation, or, more specifically, how risk managers behave towards parts of the organisation. Regulators, then, are considered outside sources of pressure which create constraints that have to be translated into technical standards. The role of risk managers as professionals considers regulations as inventions from outside the sphere of influence of the risk manager. However, in this role, outside requirements are aligned with and related to other requirements, coming from inside and outside the organisation. The main challenge of the risk manager is to solve the puzzle how to simultaneously cope with these different requirements.
When risk managers are boundary spanners or regulatory community agents, they adopt a more (pro-)active approach. In these roles, risk managers actively seek, as part of their jobs, to influence regulation and its effects on the organisation. This is a broader and more integral approach which more actively connects the outside world to the inside work of the the risk manager. The role of the boundary spanner explicitly assumes that risk managers play an important role in the political game between regulators and the organisation, using their means to mitigate the effects of regulation. Risk managers as part of a regulatory community are even more (pro-) actively involved in interactions with regulators to (re)define regulation and its consequences.
Attitudes towards regulators: from resistant to cooperative. Where risk managers assume roles as professional and boundary spanner, they display a relatively resistant attitude towards regulators. In these roles, regulators are considered sources of "problems". As professionals, risk managers view regulation as a coping problem, which requires them to implement regulations that do not necessarily align with organisational values, and might even be in conflict with them. The role of boundary spanners considers that regulators pose a continuous potential threat towards organisational goals and interests. Consequently, relations with these institutions are more actively "managed" to influence this source of power outside of the organisation.
In contrast, risk manager roles as support staff and regulatory community agents display a much more cooperative attitude towards regulators. In these roles, regulators and risk managers share a common professional or even moral interest or philosophy. This like-mindedness facilitateseither explicitly or implicitlymutual understanding and cooperation. In the role of support staff, regulators provide a source of power to risk managers. Implementing regulations in an organisation requires elaborate (technical) knowledge. This knowledge is provided by the risk manager and the implementation process is facilitated by risk manager's systems. The more detailed these systems become, the more they restrict the freedoms of operators and line managers. The role of risk managers as regulatory community agents emphasises cooperation with regulators even more explictly. This cooperation is considered natural, and facilitated by an assumed common ground with the meanings and goals of regulatory action.

A variety of risk managers
Risk managers can be ambivalent towards regulation. In this contribution we assumed that "the" risk manager does not exist, and that risk managers can perceive their role differenty. This affects how they deal with this ambivalence, and their attitude towards regulation. By bringing together insights from organisational and regulation literature we have identified four roles and their consequences on risk managers' attitude towards regulation, as well as to their efforts to connect their organisation to regulators.
We have distinguished four roles of risk managers. These are: risk managers as: (1) support staff; (2) professionals; (3) boundary spanners; and (4) agents in a regulatory community. Table 1 summarises the results of this analysis. The significance of these four roles for risk managers' attitudes towards regulation and regulators is shown in Table 2. The tables allows scholars to appreciate the complexities of the risk managers' function. They also provide them with an overview of the different perspectives about this role, as well as the implications for the means, motives and strategies that risk managers employ. These insights are also of potential value to regulatory regimes that deal with risk managers. First, the typology combines organisation studies and risk regulation literature. Bridging those two fields provides more detailed insights about why risk managers can be perceived as ambivalent. This ambivalence might be given, but the way risk managers deal with ambivalence of course differs according to the individual. These differences are significant for the effectiveness of regulation.
Second, this contribution provides additional insight into the relation between risk regulation and the strategies of risk managers. Based on the typology, we propose that strategies of risk managers are dependent on how risk managers define their role. This in turn influences how they connect regulatory policies to practices in corporations. Earlier studies emphasised the coerciveness of regulatory regimes as a main factor to explain this coupling. 54 However, part of the risk manager's job is to manage this process of coupling. Based on our analysis we theoretically identified four different strategies that risk managers can resort to in managing the coupling. These strategies follow from different perceptions about the role of the risk manager, ie translating policies to practices, tailoring policies to practices, explaining and framing policies and practices, and joint (re)interpretation of policies and practices (see Table 1). Obviously, these strategies differ to such an extent that a one-size-fitsall regulatory approach stands little chance of becoming successful.

Is variety of risk managers problematic for risk regimes?
The variation in strategies that risk managers can employ to manage the coupling, ie to connect organisational practices with regulatory policies, and the corresponding ambivalence in what risk managers ought to do, could consitute a problem for risk regimes. The conclusion of this theoretical review of the role of risk managers is to neither justify nor criticise the current ambivalence in what risk managers in coporations do, and how they respond to regulation. Nor does it seek to impose the four roles of risk managers that were identified as definitive and complete descriptions. Instead, the roles identified in our analysis leads us to conclude that regulators should expect ambivalence in the behaviour of risk managers and the organisations they represent, and find ways to deal with it.
A second conclusion is that the position of risk managers in the broader regulatory regime requires risk managers and regulators to use reflective skills on how to combine the different strategies and/or to shift from one strategy to another. So, given our conceptualisation of the roles of risk managers, we can expect a problem when: a risk manager lacks the flexibility and/or the capacity to reflect on the relation between the roles of the risk manager and his (organisation's) goals. When to use which strategy? For example because the formal mandate and corresponding interpretation of the risk manager's tasks do not align with the strategies and means that were identified in our typology; risk managers' discussions, either with operational staff or with a regulator, are not "rich" and substantive enough to assess what is the preferred strategy for connecting regulatory policy to practice within the corporation; similarly, when conversations fail to reveal how the risk manager seeks to realise this; a regulator's expectation of the behaviour of risk managers is confined to part of the typology, ie the regulator assumes that risk managers only engage in a subset of the four identified strategies to connect regulatory policies to organisational practices.
Finally, the contribution may inspire more scholarly empirical studies of risk managers in the future. For example: what internal or external institutional factors determine what roles risk managers "play"? What explains switching behaviour between the roles of risk managers? Tantalising answers are inferred in this study (see Table 1), but more in-depth studies could reveal more powerful insights. Empirical studies that focus on the role of the risk manager rather than on regulatory policies seem especially promising. Rather than focusing on regulatory policies as an operationalisation of risk management behaviour, future studies could focus on the actual behaviour of risk managers which captures the confrontation between regulatory policies and the corporate environment. Another study could investigate how strategies of risk managerssuch as "framing policies to practices"relate to compliance and/or more broadly-defined public values.
If we have more insight into these issues, the typology of roles may be strengthened and could serve as a valuable indicator for regulators to not only identify the "type" of risk manager a regulator is dealing with, but also to understand how the regulatory regime is perceived by the risk manager and its corporation.