Using Management Controls To Deal With An Organizational Crisis

This is a draft article written together with  Catherine E. Batt, Carsten Rohde and Leif Christensen. 


In 2008, the world was hit by one of the worst financial crises since the Great Depression in the 1930s. There are different types of financial crises, and the one in 2008 could be called a banking crisis, as it had its roots in the financial market (Claessens et al., 2012; The Economist, 2013). It affected a broad spectrum of companies, markets and institutions, but the effects were most strongly felt in financial institutions in the form of a series of collapses, bankruptcies, governmental assist programmes and subsequently new regulations and stronger compliance requirements.

Management controls are critical in supporting management decision-making as well as controlling the behaviour of individuals and groups to ensure that the organisation meets its objectives. The exact nature and content of management controls has been subject to much debate throughout the years. Here, we define management controls as systems, rules, practices, values and activities that management puts in place in order to direct employee behaviour. These can be seen as a “package” of several loosely coupled control elements (Malmi & Brown, 2008). These are:

  • Cultural controls: The values, beliefs and social norms that are established to influence employee behaviour. Include processes for e.g. hiring and ceremonies, definitions of mission, vision and values that are formally communicated, and creation of visible expressions of a particular type of culture.
  • Planning: Processes and practices for setting out the goals of functional areas, thereby directing effort, behaviour and defining the standards to be achieved. Includes long-term planning and short-term planning.
  • Cybernetic controls: Processes in which a feedback loop is represented by using standards of performance, measuring system performance and comparing that to standards, feeding back information about unwanted variances in the systems. Includes budgeting, financial and non-financial performance measurement.
  • Rewards and compensation: The processes and practices that focus on motivating and increasing the performance of individuals and groups by achieving congruence between their goals and activities and those of the organisation.
  • Administrative controls: The direction of employee behaviour through organisation of individuals and groups, monitoring of behaviour, and the process of specifying through policies and procedures how tasks or behaviour are to be performed.

The design of management controls is influenced by a number of functional areas, including the Chief Executive Officer, Chief Financial Officer, the Human Resource Manager, and the internal auditor. Management controls are critical in steering the organisation towards its objectives by ensuring the quality of information flows to managers as well as giving managers the means to influence and direct employee behaviour.

Not much is known about how these controls change in the wake of a financial crisis like the one in 2008 (Van der Stede, 2011). Even less is known about how management controls change in financial institutions after a crisis. Financial crises such as the one in 2008 are difficult to predict and respond to. However, knowing which management controls to use when responding to a crisis could be of vital importance when facing such a situation. Furthermore, banks are particularly dependent on public trust and compliance with regulatory requirements. Responding correctly to changes in the external environment is critical.

The study

To find out what happens to management controls in banks we gained access to the three largest banks in Iceland. The three banks studied are essentially new organisations built on the remnants of the old banks that went bankrupt in 2008. As there were no other similar banks in Iceland, letting the three banks be dissolved was not an option back in 2008. The three banks had to be taken over by the state and restructured, which included the layoff of hundreds of employees. Today, these banks employ a total of around 3,000 employees and constitute the banking infrastructure of Iceland.

To compare the development of management controls in these three banks, we selected and gained access to three Danish banks. These were comparable to the Icelandic banks in terms of current size of revenues and assets, non-financial variables such as the number of employees, and general business model, including retail and corporate banking activities. These three Danish banks did not experience the same level of turbulence after the 2008 crisis. In effect, the crisis was a “bump in the road” for these banks rather than a full-scale crisis. Asking the same questions and focusing on the same issues, we used the Danish banks as a “mirror” to reflect the changes made to the management controls of the three Icelandic banks in the period from 2008 to 2015.

With the cooperation of the Chief Financial Officers and the Chief Internal Auditors in the participating banks, we adapted our questionnaire themes to different managers and functional areas. In total, we conducted 26 interviews in the 6 banks with e.g. Human Resource Managers, Chief Financial Officers, Internal Auditors, Chief Risk Managers and Chief Planning Officers. The main themes explored through the interviews were the use of each management control, its relative importance, tools and methods, and how the control had changed since 2008.


In general, by interpreting the statements by the managers, it is possible to divide the aftermath of the Icelandic crisis in 2008 into three distinct phases up until 2015. The immediate aftermath of the crisis was a difficult time for the Icelandic banks. Many of the managers described this period as a time of “chaos”, “panic”, “turmoil” and “shock”. The managers reported that during this time, many employees experienced a discord between their personal values and those of the banks. Some of the banks even offered counselling and psychological assistance to their employees. After this “Restructuring” phase, the managers described a “Reinvention” phase in which for example most of the changes to management controls were implemented. This was followed by a more recent “Stabilisation” phase with a more settled business environment and operations, and what can be seen as standardised European banking practice.

Our study shows that during the “Reinvention” phase, certain management controls went through a radical redesign as a result of the crisis, while others were reconfigured to reflect new operating conditions (Dawson, 1994). In this context, radical redesign means that these controls were radically different from the controls used pre-crisis, whereas the reconfigured controls were similar but reflected different emphasis or focus. This is described below.

Cultural controls

The crisis in 2008 led to a loss of trust by the Icelandic public in the banking institution. Image surveys from that time show how the image of the banking institution deteriorated in terms of links to corruption, trust and social responsibility (Gudlaugsson & Eysteinsson, 2010). In short, the fundamental values on which the banks had operated up until 2008 were brought into question. All three banks therefore launched projects to redesign their cultural controls, including a redefinition of the basic values on which the new banks should operate.

“The CEO set up meetings where all the employees were invited. People thought the CEO was crazy, as most people were concerned with putting out fires and had no time for thinking about strategy. We counted about 700 employees at that meeting. One of the tasks of the meeting was to define new values. It was a very democratic approach and actually very good for the bank.” (Icelandic manager)

The efforts to redefine the values of the Icelandic banks were led by the Chief Executive Officers, who among other things used consultants, employee meetings and project groups to achieve the desired outcome, which was to develop radically different set of values and value based controls. This enabled the post-crisis bank to distance itself from the values and practices of the pre-crisis bank. A “clean break”, as some of the managers called it.

Administrative controls

Following the crisis, a large number of new regulations and compliance frameworks were introduced, financial control institutions such as the Icelandic Financial Supervisory Authority were strengthened and restructured, and the media took an active interest in the compliance of the banks. To cope with this, administrative controls were redesigned. In particular, managers used the organisational structure to frame and delineate the restructuring of the “new” organisation after the crash. Special restructuring departments were set up to deal with this complicated and sensitive task. Across the board, policies and procedures were made more formal. In this context, formalisation means written documentation, transparent management approval processes for new policies and procedures, internal and external reviews of compliance as well as formal training of employees in the application of policies and procedures. Finally, more resources were allocated to risk management departments, which hired more employees and took on more tasks. Currently, the risk management departments of the Icelandic banks are 5 times the size of similar departments in comparable Danish banks, although the task profile is similar.

Several managers mention how regulation, compliance and risk management have become more strategic for the banking industry.

“In a bank the focus goes straight from governance to strategic issues, whereas in a “regular” company, the emphasis goes from strategic issues to governance issues. And it is to a large extent the banking regulation that drives this development.” (Icelandic manager)

Some managers also welcome the formalisation of administrative controls in terms of increased transparency as well as documentation of rules – also from the perspective of being able to document what was done, how it was done and what boundaries have been defined.

“When you are in court it becomes easier to document what you have done regarding written administrative controls, whereas culture is more subjective.” (Danish manager)

Rewards and compensation

The report of the Special Investigation Commission put in place to investigate the collapse of the banks concluded that rewards and compensation schemes in the old banks had played a role in encouraging a certain behaviour among managers and employees (SIC, 2010). After the crisis, rewards and compensation schemes were radically redefined, both to comply with external regulations, but also to change the behavioural influence. This included changing the scope, intensity and direction of bonus schemes in the banks as well as making this internal control system open to external agency scrutiny.

“Today we are basing the bonus system on 65% for financial and operational metrics and that is more the bottom line. Then we have 35% that we call judgmental areas, and that is from 5 to 8 metrics where we are trying to stimulate responsible good behaviour. There are some areas where we have seen definite changes in behaviour, and that is concerning risk management and compliance. If you don’t meet the performance criteria within these areas, you may lose a good proportion of your bonus.”  (Icelandic manager)

Other controls

Other management controls did not change as drastically in the aftermath of the crisis. Planning processes such as budgeting have not been changed to any major extent but remain focused on the traditional annual budget cycle with variation analysis and follow-ups. A reconfiguration of cybernetic controls includes new definitions of performance with increased weight on risk and compliance.


Banks as institutions are fundamentally dependent on public trust and compliance with regulations. This legitimacy was damaged after the crisis in 2008 in Iceland. To regain social legitimacy and to demonstrate compliance with stricter regulation, the Icelandic banks radically redefined certain management controls. Cultural controls were changed to break with the values and practices of the old banks. Administrative controls were formalised to demonstrate compliance with external regulation and internally imposed boundaries. Certain controls, such as rewards and compensation and regulatory compliance practices, were opened to external scrutiny, which had not been the case before the crisis.

Some of the lessons learned from dealing with the crisis in the bank are:

  • Well-designed and implemented management controls are critical when banks respond to a financial crisis.
  • There will be a difference in change in individual management controls, depending on the magnitude of the financial crisis faced by the bank, as well as the initial design of the management control systems.
  • In a crisis of public trust recruiting a new CEO to act as a change agent should be considered.
  • Establish new organisational values from the bottom up signalling a clean break with past values.
  • Formalise new values with increased emphasis on compliance through changed governance procedures.
  • Change reward and compensation schemes to direct employee focus towards new goals.
  • Reconfigure performance measurement to reflect new emphasis.
  • Set clear policies and procedures for repetitive tasks combined with transparent governance processes to free up management attention to deal with crisis situations.
  • Strengthen the finance function, risk management, the compliance function and internal auditing in the bank with to successfully develop management controls. This includes adding management accounting capabilities.
  • Coordinate between these functions in designing and implementing changes in management controls.
  • Observe that despite increased regulatory compliance requirements, focus on business requirements has to be maintained.
  • Recognize the risk of loosing focus on core elements of management control such as action planning and budgeting.

Nothing can really prepare an organisation for a crisis of the magnitude faced by the Icelandic banks. However, some lessons can be learnt by banking institutions – and other companies – when responding to a crisis that involves loss of public trust and an immediate need to demonstrate compliance with changing requirements.


Claessens, S., Kose, M., Laeven, L., & Valencia, F. (2012). Financial Crises: Causes, Consequences, and Policy Responses Understanding Financial Crises: Causes, Consequences, and Policy Responses. Presented at the IMF Conference on the Financial Crisis, Causes and Policy Responses, Valencia. Retrieved from

Dawson, P. (1994). Organizational Change: A Processual Approach. London: Paul Chapman Publishing.

Gudlaugsson, T., & Eysteinsson, F. (2010). Áhrif Bankshrunsins á Ímynd Banka og Sparisjóða (Working Paper Series No. W09:04). Institute of Business Research. Retrieved from

Malmi, T., & Brown, D. A. (2008). Management control systems as a package—Opportunities, challenges and research directions. Management Accounting Research, 19(4), 287–300.

SIC. (2010). Report of the Special Investigation Commission (SIC) – English. Retrieved October 21, 2015, from

The Economist. (2013, September 7). The origins of the financial crisis. The Economist. Retrieved from

Van der Stede, W. (2011). Management Accounting Research in the Wake of the Crisis: Some Reflections. European Accounting Review, 20(4), 605–623.