“…The formalization of risk management systems can be identified: through the introduction of dedicated risk experts such as internal auditors, chief risk officers and/or risk managers, and through the introduction of formal risk management tools , such as heat maps (Arena et al., ; Hall, Mikes, & Millo, ; Mikes, , ; Palermo, ; Rocher, ; Vinnari & Skærbæk, , Woods, ). Previous research has reported on the implementation of formal risk management systems identifying a top–down design and roll out of risk management in public sector organizations (Palermo, ; Rocher, ; Vinnari & Skærbæk, ; Woods, ). Palermo (, p. 332) discussed the manner in which the Audit Committee approved “a policy outlining the risk management principles, roles and instruments to be applied across the whole organization.” Rocher (, p. 71) reported on the struggles encountered in the implementation of a new risk analysis method, developed by the Public Accounting General Directorate of the French Ministry of Finance, which was “delivered to local government as a “ready to use” method.” In a Finnish case, by Vinnari and Skærbæk (, p. 507), the internal auditor produced and promoted COSO‐based formal risk management guidelines; over time, these guidelines came to be approved as the “municipality's official risk management document.” However, the manner in which the internal auditor framed risk management was “considered too far removed from the frame of managers’ daily work and the inscriptions are reportedly only employed at a superficial level, to go through the motions of compliance” (Vinnari & Skærbæk, , p. 513).…”