Risky business: corporate risk regulation when managing allegations of crime
This article seeks to develop an understanding of how corporations manage their social and ethical responsibilities, whilst simultaneously facing allegations of crime. It draws on the case of TeliaSonera, a Swedish corporation prosecuted for committing bribery in Uzbekistan. The article begins by introducing the reader to this so-called ‘Uzbek affair’, before exploring how corporate governance has shifted in the new regulatory landscape, and the role CSR plays in this landscape. Secondly, it critically deconstructs TeliaSonera’s regulatory regime, in order to analyse how the risks of corruption and bribery are managed in the aftermath of the Uzbek affair, and what functions this management fulfils for the corporation’s front stage performance. By drawing on the distinction between primary and secondary risk management as proposed by Power [1, 2], the article argues that the regime in place to manage social and ethical risks simultaneously manages reputational and profitability-related risks, thus illustrating the dual functions of corporate risk management. This duality, it is suggested, is a consequence of the responsibilisation process in which corporations have become self-regulating entities, which allows for a ‘risk management of everything’ (cf. ).
Critical criminologists have long recognized the social harm that stems from the conduct of multinational corporations, in their own pursuit for profit (see, e.g., [3, 4, 5]). The task of safeguarding human and environmental rights has traditionally been an obligation of the nation state (: 255), but corporations have in the last decades acknowledged their responsibility for implementing measures to prevent harm against the public good (: 178). This idea is often conceptualised as ‘Corporate Social Responsibility’ (CSR), which denotes that corporations ought to manage their business in a manner that secures not only private, but also public, interest . This new corporate ‘social position’ follows the shifts in the regulatory landscape, in which state power has been redistributed and dispersed across different governing bodies, blurring the ‘private-public’ dichotomies (: 421). Since CSR is predominantly managed through voluntary measures that exceeds corporations’ legal responsibilities, such as internal ‘codes of conduct’ and ethical frameworks (see ), attention becomes directed to the manner in which corporations have become a new site of control (cf. ).
Taking this new corporate position as a point of departure, this article analyses how a Swedish corporation manages its social responsibilities whilst simultaneously facing allegations of crime – in other words, when the failure to secure socially responsible practices has already occurred. The corporation of interest is TeliaSonera, a Swedish telephone company and mobile network operator, which has been prosecuted for completing illegal monetary transactions in Uzbekistan. By conducting a thematic analysis on a selection of corporate documents, the aim of this paper is to (i) analyse how risk regulation regarding bribery and corruption has been transformed in the years following the so-called Uzbek affair, and (ii) analyse what functions these transformation fill for TeliaSonera’s front stage regime.
Rather than being concerned with how CSR could be used discursively as a response to allegations of crime and corporate scandals, this article takes an interest in the logics of corporate risk management and the practices that follow. Because of the dispersal of power and control within the regulatory landscape, this study sides with Braithwaite  suggesting that criminology must widen its scope to account for sites of monitoring and enforcement beyond the branch of criminal justice and traditional means of crime control. Therefore, analysing corporate risk management contributes to existing research by illustrating the decentralisation of the current regulatory landscape, how new sites of control manage their state-imposed responsibilities, and the logics within such a site.
The article is organised as follows. The next section offers a brief description of the Uzbek affair and its aftermath. Thereafter, the article sheds light on previous research on corporate risk management in general, and CSR in particular, while also introducing the article’s theoretical framework. TeliaSonera’s regulatory regime is then deconstructed into the three stages of risk regulation – standard-setting, monitoring, and enforcement – and the dual functions of risk regulation is discussed. Lastly, TeliaSonera is situated in the wider regulatory landscape, and corporate risk regulation is discussed in relation to the nation state.
The Uzbek affair
The corporation TeliaSonera arose through the merging of Swedish Telia and Finnish Sonera, yet the corporation – currently known as Telia Company, following a name change in 2016 – has business operations expanding well beyond the Nordic market . Both the Swedish and the Finnish states are shareholders in Telia Company, yet the Swedish state is the principal shareholder as it holds 37,3% of the corporation’s shares . In 2007, TeliaSonera began conducting business in Central Asia, primarily Uzbekistan – a country known for having one of the highest corruption levels in the world . Until late 2016, Uzbekistan was governed by president Karimov, whose regime has shown little respect for human rights throughout the years . In September 2012, a few years after TeliaSonera’s establishment in Uzbekistan, a Swedish journalistic television show claimed that TeliaSonera has completed monetary transactions to a local Uzbek partner with the process of obtaining 3G licences. This ‘local partner’ was revealed to be a small corporation based in Gibraltar with close links to Gulnara Karimova, the daughter of late president Karimov. In total, the transactions amount to more than 230 million Euros . Shortly following this disclosure, national prosecutors classed TeliaSonera’s transactions as constituting bribery, and a criminal investigation was initiated (: 187). In September 2017, three former TeliaSonera executives – including the former CEO and the former Vice President – were prosecuted with bribery charges .
The Uzbek affair has been thoroughly covered in national media and journalists have raised questions about the legality of TeliaSonera’s actions. Furthermore, representatives of the Swedish state have publically criticised the corporation’s apparent disregard for human rights. As the Minister for Financial Markets, Peter Norman, put it: “New and deepened knowledge regarding issues of human rights and corruption is needed in the Board of Directors, knowledge that is not present in the Board today” (, my translation). TeliaSonera has provided several public responses to the allegations of crime, both in the national media and through their own channels (for an analysis of these accounts, see ). At the inter-organisational level, one of TeliaSonera’s remedies for the Uzbek affair has been regulatory expansion:
In the last few years, we have understood the depth of the unethical and possibly illegal practices in region Eurasia. […] To remediate the issues we have worked extensively with analysing our risks, investigating potential fraud and corruption schemes, training employees and building a culture where no one is afraid of speaking up when they see potential or actual corrupt practices (: 76).
Thus risk regulation, with regard to bribery and corruption, has been transformed and expanded in the aftermath of the Uzbek affair. These developments, and the function they fill, are the units of analysis in this article. In the following section, a theoretical framework for understanding modern-day corporate risk management will be provided, beginning with a description of the corporate risk regulation of today.
Existing research and theoretical setting
To understand the functions of corporate risk management, one must first understand the transformations within the wider regulatory landscape. It is a landscape that adheres to neoliberal rationalities encouraging processes of de-regulation, primarily within the market and civil society – spheres that are perceived as relatively autonomous and thus released from external interference (:177). But simultaneously, the commercial and industrial life has witnessed an increase of regulation, which is particularly evident in the rise of internal control systems (:242; :36). Thus, re-regulation rather than de-regulation characterises the regulatory landscape of today (:16), as the exercise of control has been shifted from the sovereign state to become a built-in feature within the market itself (:517). By governing at a distance, the state decides on the ends of government whilst relying on the self-regulation of markets to fulfil these ends. This process is known as responsibilisation, and thus captures the way in which governing power has been redistributed among non-state actors and agencies (see :68–68).
Therefore, corporate risk management has experienced a considerable transformation and expansion in recent times, characterised by the growing importance of proactive – rather than reactive – means of managing organisational insecurities (: 244–245). However, the concept of ‘risk’ is not static. ‘Risk’ is commonly defined as the likelihood of an incident that is perceived as a danger in relation to organisational interests (: 86), suggesting that the meaning of risk is dependant upon the logics within the organisation (: 4). This fosters different regimes toward risk regulation, yet their basis generally consists of three essential stages: standard-setting (the process of setting targets within an organisation); monitoring (the observance of the pursuit of pre-defined targets); and enforcement (the modification of behaviour in cases of deviances) (: 23ff). By investing in each stage, organisations design their own regulatory regime and decide how to control the pre-defined risks within their own domains.
Extending the idea that risk regulation is dependent upon organisational definitions and interests, Michael Power offers a framework for differentiating between two sets of risk. Drawing on his observations of the expanding audit risk model, Power argues that there has been an important change in the way auditors interprets risk during the last decades. Rather than being concerned with mistakes and misstatements in the reporting process alone, auditors have become increasingly concerned with the risk of themselves suffering from financial and reputational damage (: 58). The former set of risks can be conceptualised as primary risks (risks that the auditors are explicitly charged with managing), whilst the latter can be conceptualised as secondary risks (risks relating to the auditors’ own position) (ibid: 59f). The distinction between primary and secondary risks, and the intertwining that may occur between the two, can also be applied when analysing the actions of corporations. Aside from the primary risks that modern-day corporations are expected to manage (e.g. social and environmental risks, as conceptualised by CSR), reputational risk management has emerged as a specific corporate vulnerability in the last decades (see : 129). Take, for example, the experiences of Shell. When the corporation decided to dispose the Brent Spar oil platform into the North Sea, it resulted in a mass boycott of Shell products. The reason for this was that whilst Shell had taken the environmental impact of the disposal into account, the corporation had not considered the ability of external stakeholders, lobby groups and the media to influence public opinion (: 33). Attempting to control the prospect of suffering reputational damage (that in the long run could transform into financial damage, as the case of Shell illustrates) requires secondary risk management, which may be all the more important for corporations facing allegations of crime, such as TeliaSonera.
Previous research on CSR further illustrates how secondary (reputational and financial) risks may be prioritised on behalf of primary (social and environmental) risks. Several authors suggest that corporate commitments to CSR regulation may be primarily rhetorical, in place to neutralise the risks attached to corporate conduct whilst allowing ‘business as usual’ to continue [6, 7, 9, 25]. Voluntary, international frameworks are often adopted into corporations in a manner that suits their financial interests (: 58; : 433), making it unlikely that corporations would assume CSR unless it fits the corporations’ profitability criteria (: 196). Thus, it is rather unsurprising that a recent meta-study found that the main incentives for investments in CSR were to i) strengthen the corporate image as a ‘good citizen’, ii) secure management positions, iii) signal the high quality of their products, and iv) reduce conflicts between the corporation and its stakeholders . Thus, CSR regulation may first and foremost be about restoring and maintaining corporate legitimacy:
The degree to which regulatory controls are imposed on capital is […] more readily comprehensible in terms of the harms that certain crimes cause to the legitimacy of the markets and associated institutions, rather than in terms of the harms that some crimes imply for people, for our water and air quality, for biodiversity, and so on (: 11).
The desire for legitimacy is particularly prominent for corporations facing allegations of unethical or illegal conduct, as their legitimacy is questioned in the light of the allegations (: 3). Crises of reputation and legitimacy due to corporate misconduct are therefore often met with corporate philanthropy and measures to improve social responsibility. To exemplify this notion, Kuldova  draws on the case of the Bill and Melinda Gates Foundation, which was established as a direct response to accusations of unlawful monopolization and crippling competitors, damaging the public image of Bill Gates. By “re-inserting morality into the market”, e.g. by expanding CSR commitments, consumers’ attention is diverted from exploitation and violations toward a socially responsible image (ibid: 7; see also ). After all, corporations must convince others that its use of power is in fact legitimate and rightful, in order to survive (: 1).
Drawing on Power’s framework, investments in CSR that are based on corporate, rather than social, interests could thus be conceptualised as constituting secondary, rather than primary, risk management (cf. : 149). In this article, the distinction between primary and secondary risk will be used as a theoretical basis for interpreting the functions TeliaSonera’s risk management fulfils in the aftermath of the Uzbek affair, and the interests that guide them.
To fulfil the aim of this article, a thematic analysis was conducted. The analysis was based on official documents1 describing TeliaSonera’s risk regulation: Annual and Sustainability Reports; Interim Reports; documentation from Annual General Meetings; and a selection of Press Releases.2 Taken together, the documents offer rich descriptions of how TeliaSonera’s regulatory regime has been developed, motivated, and evaluated over time. Since this article seeks to analyse TeliaSonera’s regulatory regime in the aftermath of the Uzbek affair – which was uncovered 2012 – the documents stretch from 2013 to 2015. The analysis was informed by the previously described ‘regime’ approach, proposing that risk regulation transpires in three fundamental stages: standard-setting, monitoring, and enforcement . In the analysis, these stages were reconstructed on the basis of the chosen documents. When put together, these stages constitute the analytical basis of a risk regulation regime. Whilst this approach could be criticised for limiting the researcher’s field of vision, it has the advantage of sensitising the analytical process, which has been theoretically informed from the outset (: 88). Furthermore, because of the heterogeneity of information conveyed in the material, a more grounded approach would not have been suitable, considering that large portions of the material is of little relevance for this article.
The process of analysing the material began with openly skimming through the documents, with the purpose of sorting out all sections describing risk management and CSR commitments. Since the risks of interest to this article relate to CSR, other sets of risk were neglected. In subsequent readings of these sections, greater attention was paid to detail and focused on anti-corruption and anti-bribery, whilst mapping out and loosely coding different regulatory practices (e.g. specific units and programs). These practices were subsequently sorted into the three stages within the analytical model of risk regulation. While it was not always evident to which of the three stages a specific practice belonged to, iteratively working on the theoretical analysis on the side helped uncover how the stages relate to one another, and how they together constitute TeliaSonera’s risk regulation regime.
When studying corporations – or other ‘powerful’ actors – there are a few common methodological limitations. Studying TeliaSonera is no exception. As a multinational corporation, TeliaSonera is in a social position that allows for selectivity in the information that is released into the public gaze, thus (implicitly or explicitly) setting the limits on the researcher’s interpretations of their activities. The presentation of the corporation in the chosen documents is characterised by a selected set of general key words and phrases, and takes aim at describing broader developments rather than targeting actual implementation of regulatory practices. Thus, drawing on Goffmans  classic concepts of ‘front stage’ and ‘back stage’, the empirical basis of this article is TeliaSonera’s front stage presentation, as the corporate back stage area remains inaccessible. In the following section, this presentation will be deconstructed, as its transformation in the aftermath of the Uzbek affair will be explored in detail.
Before the accusations
In 2010, prior to the Uzbek affair, TeliaSonera acknowledged that corruption is a substantial risk to the telecommunications industry (: 14), and stressed the need to fully understand “local conditions” in its anti-corruption work (: 4). Given its lack of democratic leadership coupled with a limited concern for human rights, Uzbekistan is highlighted as a high-risk country for corrupt practices (ibid: 11). However, in the eyes of the corporation, the risk of corruption appears sufficiently regulated through the corporate Code of Ethics and Conduct (: 66), which was introduced in 2009 (ibid: 4). To enforce the code, TeliaSonera has primarily relied on traditional forms of observing corporate behaviour, e.g. auditing and whistle-blowing systems (ibid: 9, 15), as well as employing external reviewers (: 12). All in all, the risk of corruption seems well known to TeliaSonera in the years leading up to the uncovering of the Uzbek affair, but its regulatory regime does not appear to be directed at managing this particular risk. As will be shown in the following analysis – which deconstructs TeliaSonera’s regulatory regime into the three stages of risk regulation – the same cannot be said in the years following the affair.
In any attempt to manage risk and provide security, organisations must first and foremost define what constitutes a risk (: 85). The means of defining and assessing risk transpires within the ‘standard-setting’ component within a risk regulation regime (see : 25).
For TeliaSonera, “anything that could have a material adverse effect on the achievement of TeliaSonera’s goals” is considered a risk (: 26), yet sustainability is singled out as a particular risk area. Whilst TeliaSonera prioritises four detailed sets of sustainability-related risk,3 the corporation has directed particular attention to define and assess the risks related to corruption and bribery in the aftermath of the Uzbek affair. As an immediate response to the allegations of crime, TeliaSonera employed an international law firm with the task of reviewing the corporation’s transactions in the Eurasia region, and conducting a risk assessment of TeliaSonera’s practices from an ethical perspective . The intention behind the review was for TeliaSonera to gain information on how to take “the necessary measures to establish suitable conditions in order to act appropriately and ethically today and in the future” (: 33). Furthermore, TeliaSonera conducted in-depth assessments within each of the high-risk markets in region Eurasia during the years following the Uzbek affair, with the purpose of investigating the risks of corruption and bribery (: 20).(Sustainability Report 2013: 20). This emphasis on defining and assessing the ethical risks within region Eurasia in the aftermath of the Uzbek affair illustrates how the meaning of ‘risk’ is contingent upon the interests and priorities of the corporation itself, rather than being self-evident constructions (cf. : 93).
The motivation for these risk assessments is displayed in the corporate values and norms, i.e. the standards against which organisational behaviour is to be compared (cf. : 452). These standards allow the corporation to make distinctions between the “more and less preferred states of the system” (: 23). Because TeliaSonera allegedly operates in “highly challenging markets”, the preferred state of the corporation could be represented by its zero tolerance against human rights abuses and corruption (: 43), suggesting that being socially responsible is an important norm guiding TeliaSonera’s risk regulation. This notion is further highlighted when the corporation claims to account for not only private, corporate, interests (i.e. profit) but also public interests, in the regulation of sustainability-related risk after the Uzbek affair:
[…] sustainability covers all efforts related to how we account for our long-term impact on society and the environment. Our responsibility extends throughout the value chain. We believe that when we do good, it strengthens not only our business but also the societies in which we operate, creating long-term shared value. (: 66).
As illustrated above, TeliaSonera appears to recognise the social impact of their business activities, and acknowledges that the corporation bears responsibility for mitigating this impact. The target of their operations is therefore not only profitability on the corporation’s behalf, but also to ‘do good’. Furthermore, TeliaSonera emphasizes that the corporation has a “duty to have a positive effect” on the communities in which they operate (: 11, my italics). Thus, by claiming to account for public interest in its regulatory regime, the corporation draws on the notion of itself as a ‘social actor’ to emphasise its duty to manage sustainability-related risk. However, TeliaSonera does not only use the language of social responsibility to describe its corporate position, but also to describe their business practices. By being active in the telecommunications industry, TeliaSonera states that the corporation attends to “one of the most profound and basic human needs – to communicate” (: 6). Thus, the corporation perceives itself as contributing to openness and societal development through the nature of their operations, in spite of the allegations of illegal business practices in Uzbekistan:
The Board believes that few tools are better for transparency and democracy than mobile telecommunications, which enable people to communicate with each other and the outside world .
Throughout the analysed documents, TeliaSonera highlights the positive nature of their industry and the impact of their core business activities, rather than addressing the risks that these activities might pose to communities. These claims that the corporation create opportunities for societies in which they operate and tends to ‘human needs’ could be interpreted as an attempt to create the image of the corporation as a ‘good citizen’ (cf. : 45–46; : 193), and thus represents an attempt to restore corporate legitimacy, which has been questioned and re-negotiated in the aftermath of the Uzbek affair.
But becoming a good citizen is not the only standard that TeliaSonera strives to uphold. It cannot be ignored that after all, the main objective of corporations is to create profit for the shareholders (: 35). In the aftermath of the Uzbek affair, this profitability concern is intimately tied to the realm of social responsibility, as expressed by the Chairman of the Board at one of TeliaSonera’s Annual General Meetings after the Uzbek affair:
It is my strong opinion that there is a clear link between a long-term approach to sustainability issues and high profitability. In TeliaSonera, as in any company, the customer is king. If we can ensure that we meet their expectations we will also be able to deliver a good return on investment of our shareholders. 
Thus, by acknowledging sustainability-related risks and securing a responsible business approach, TeliaSonera suggests that the corporation will increase profit levels. Profitability is therefore understood as delivered through sustainability. Sustainability, in that sense, becomes an instrument or a tool for a given end, rather than being the end itself. These notions illustrate that despite rising concerns about the social impact of corporate conduct and the demands for complying with international CSR standards, the primary relationship between society and business remains economic, based on corporate, not social, interest (cf. : 52).
Defining something as a ‘risk’ implies that it is a threat to organisational interests (: 3). According to Power (: 61), the most prominent threat for corporations is reputational damage. When discussing socially responsible regulation in the years following the Uzbek affair, TeliaSonera frequently links reputational concerns to sustainability in a manner suggesting that the former, not the latter, is the target of regulation:
My ambition is for TeliaSonera to set an example, but also to be a leading company within selected business areas, or as we say, Ethical Business Practices. Our focus right now is on freedom of expression and anti-corruption, areas where we have the burden of proof. […] Much time and effort has been spent to restore confidence in the company, and this will continue. (, my italics).
Here, the expansion of regulation is perceived as a means of ‘restoring confidence’ in the corporation, in the aftermath of the Uzbek affair. When discussing high-risk markets and complicated legal areas, TeliaSonera emphasizes that the risk of operating in these areas are those of “lawsuits that might harm the company” (, my italics), and that regulatory failures have the potential to “negatively impact TeliaSonera’s business operations and its brand” (: 29, my italics). Thus, the corporation presents itself as being at risk of harm in instances of non-compliance with sustainability-related demands. This is illustrated during the first Annual General Meeting after the uncovering of the Uzbek affair, as the CEO suggests that if the corporation’s reputation is harmed, it could affect other aspects within TeliaSonera as well, such as the profitability levels in the long run:
People’s confidence in TeliaSonera as a company is crucial. Our confidence capital is a competitive factor that we cannot afford to be without. It is a necessary prerequisite for building future values. If confidence in the company falters, we take it very seriously. .
This quotation illustrates the ways in which reputation – or “confidence capital” – is understood in financial terms, as it is related to the corporation’s profitability. As such, maintaining reputation itself might not be the purpose of TeliaSonera’s standard-setting process; rather, the purpose is financial gain through reputational capital.
Thus, in response to the allegations of crime, TeliaSonera has taken measures to further define and assess the risks relating to bribery and corruption in the Eurasia region. The corporation is furthermore careful to position itself as a social actor in the aftermath of the Uzbek affair, but these concerns are simultaneously bound up with issues of ‘confidence capital’ and profitability. In these instances, it appears that TeliaSonera’s standard-setting process emphasises the interests of the corporation, rather than the interests of the community at large (cf. : 11).
When facing high levels of public scrutiny in the aftermath of the Uzbek affair, TeliaSonera acknowledged their unethical behaviour and offered the following explanation:
Overall, the internal information and control at different levels (owners, directors, management and line management) was not sufficient to pick up warning signs that there were ethical risks. In hindsight, it is evident that a more stringent investigation of the counterparties should have been conducted. One consequence of this was that subsequent investments were also not subjected to proper examination. 
Here, the Uzbek affair is framed as the result of lacking information about the risks TeliaSonera face, which caused a case of corporate ‘under-regulation’ (cf. : 69). This relates to the second stage within a risk regulation regime: monitoring, i.e. means of observing activities and gathering information in order to detect any irregularities or deviances (: 23). Monitoring thus functions as a way of safeguarding the pursuit of pre-defined goals (: 452). Unsurprisingly, several new means of information-gathering have been developed within TeliaSonera in the aftermath of the Uzbek affair.
To monitor the risks the corporation face, two new regulatory units have been implemented during 2013, the year following the uncovering of the affair. Firstly, TeliaSonera has introduced the Governance, Risk, Ethics and Compliance (GREC) meetings, in order to monitor internal measures taken to minimise – among others – sustainability-related risk. The meetings are based on information comprised in various internal risk assessments and risk reports (: 56, 59-61). Secondly, TeliaSonera has developed the Sustainability and Ethics Committee (SEC), consisting solely of members from the Board of Directors. The committee collects information about, and seeks to monitor, all sustainability-related reporting, policy-making, and implementation processes throughout the corporation (ibid: 48). Taken together, these units illustrate a shift within TeliaSonera that occurred after the uncovering of the Uzbek affair, as they facilitate greater degrees of monitoring (and thereby controlling) the activities and behaviours within the corporation. However, TeliaSonera does not only rely on internal means of observing levels of compliance. Because of the Uzbek affair, TeliaSonera employed a national law firm with the task of reviewing all of the corporation’s investments in Uzbekistan. The purpose of this review was to obtain an “independent investigation” of the allegations of criminal conduct (: 12). Thereby, TeliaSonera receives an external – yet still private – review that aids the corporation in monitoring its behaviour.
In 2014, TeliaSonera adds another new monitoring function to the list, as the corporation introduces the Speak-Up Line. It is a whistle-blowing function, and can thus be used to report (suspected) breaches of ethical and legal frameworks (: 59). The Speak-Up Line can be used by employees wishing to avoid regular reporting mechanisms (e.g. contacting their local manager), but it can also be used by members of the public. Thereby, the line offers “everybody […] the opportunity to anonymously report any mistakes they see being made” (, my italics). The fact that the Speak-Up Line is available not only for employees but for the general public illustrates how TeliaSonera invites the public to monitor their activities. Similar to the ways in which members of the public are able to report illegal behaviours on the street, they are now given the opportunity to report illegal and unethical behaviour within a corporation. The Speak-Up Line is therefore an example of how traditional mechanisms of monitoring social order have been extended into closed, private settings (cf. : 517–518). Thus, by not only having internal means of monitoring but also allowing external agencies – both private law firms and the general public – to observe corporate behaviour, TeliaSonera attempts to create “windows on society which bring the ‘outside in’” (: 139). However, the monitoring conducted by the Governance, Risk, Ethics and Compliance Meetings, and the Sustainability and Ethics Committee, still occurs behind closed doors, and the results from private reviews and reports to the Speak-Up Line are owned by the corporation. These functions could therefore help TeliaSonera limit the possibility of negative publicity, and thus avoid larger financial and reputational repercussions, if non-compliance is discovered (cf. : 61).
There are several examples of how TeliaSonera attempts to collect information about the present state of the corporation, and thus monitor “what happens in pursuance of the goal” (: 452). Following the Uzbek affair, TeliaSonera conducted a materiality review, in which a set of sustainability-related risks were identified. Subsequently, these risks were validated by the corporation’s stakeholders, which allowed for benchmarking of the corporation’s work (: 70). Furthermore, TeliaSonera began adding sustainability-related questions to their employee commitment survey, in order to gather information on how employees perceive the corporation’s sustainability work (ibid: 71). Later on, in 2015, TeliaSonera constructed the ‘sustainability perception index’, which contains stakeholders’ perceptions of the corporation’s sustainability work, thus allowing for statistical measurements of corporate performance. The corporation also constructed the ‘responsible business index’, which presents measurements of the employees’ knowledge about TeliaSonera’s ethical frameworks (: 69).
These means of collecting information on corporation performance, in relation to stakeholders’ expectations and employees’ perceptions, suggests that TeliaSonera actively attempts to monitor the corporation’s pursuit to minimise sustainability-related risk. Furthermore, the visibility of these reviews and indexes illustrate how means of monitoring can be used by the corporation to paint a desired picture of the corporation before the eyes of potential stakeholders. Thus, these regulatory practices may fall within a corporate ‘front stage’, as they represent a carefully prepared performance in front of the target audience (cf. : 128).
The final component within a risk regulation regime is the enforcement component; the means “by which power or influence is brought to bear on the system to change its state” (: 22). This component pertains to corrective actions, aimed at modifying individual and organisational behaviour in the pursuit of the ideal state of the organisation (: 26). Within TeliaSonera, the practices that seek to modify behaviour fall on both sides of the regulatory spectrum, as they represent both coercive and persuasive strategies. Typically, coercive modes of regulation emphasises rules, reactive approaches, and punishment, whilst persuasive modes of regulation emphasises incentives, proactive approaches, and trust (: 247–248).
The most important persuasive strategies to secure compliance within TeliaSonera are the codes of conduct, which set “the boundaries on how the employees shall act” (: 40). Whilst the codes of conduct existed prior to the Uzbek affair, TeliaSonera put particular emphasis on developing complementing strategies aimed at preventing corruption and bribery in its aftermath. In 2013, the corporation implemented a policy and guiding principles on the subject of anti-corruption, as the corporation recognises the need to “do more to fight corruption and bribery” (: 3). Thus, the risks TeliaSonera defined in the standard-setting stage after the Uzbek affair is here disaggregated into corporate practice.
The primary responsibility for enforcing “compliance with ethical and legal requirements” falls upon the Ethics and Compliance Office (ECO), which was established in 2013, thus shortly after the uncovering of the Uzbek affair (: 6). The ECO focuses on sustainability-related risks and attempts to modify employee behaviour through different compliance-oriented strategies. The primary means for doing so is the implementation of specific ethics and compliance programs (ibid: 45), which in the aftermath of the Uzbek affair took the shape of an anti-bribery and corruption program. The program aims to implement the anti-corruption policy through a persuasive regulatory approach, in which employee behaviour is to be modified through classroom training sessions, internal learning platforms, e-mails, meetings and networks (: 21).
To interpret these developments within TeliaSonera’s regulatory regime, it is possible to explore how the notion of ‘risk’ affects organisational behaviour. Within a risk paradigm, concern falls on the prevention and calculation of future harm, and different means of maintaining security (: 245f). Therefore, modification and correction of behaviour ought to be characterised by a proactive rather than reactive regulatory mentality, thus suggesting that the behaviour of all actors involved in an organisation needs to be corrected before non-compliance occurs. This is illustrated by the persuasive regulatory approach employed by TeliaSonera, since behaviour and action is to be modified through standards, programs, training sessions, and so forth prior to potential breaches of ethical and legal frameworks. However, these persuasive, proactive means of modifying employee behaviour does not only illustrate that all employees are simultaneously perceived as being subjected to risk and constituting a risk, but also that they are responsible for managing risk. Thus, through such means of enforcement, “everyone becomes a risk manager” (: 62). This notion is especially interesting in the case of TeliaSonera, since it was three former executives – among these, the former CEO and the former Vice President – that were charged with allegations of committing bribery during TeliaSonera’s establishment in Uzbekistan. Thus, parts of TeliaSonera’s formal management are under investigation, yet the risk of committing bribery is here collectivised and framed as a responsibility for the entire corporation – which may particularly affect employees further down the corporate hierarchy, through the development of training sessions and learning platforms.
The coercive regulatory strategies within TeliaSonera take the form of more traditional corrective actions. As described previously, both employees and external actors have the possibility of reporting suspicions about non-compliance with ethical and legal frameworks through TeliaSonera’s Speak-Up Line. The case reports are later managed – and if necessary, investigated – by the Special Investigations Office, a new regulatory unit that was introduced alongside the Speak-Up Line in the aftermath of the Uzbek affair (: 59-60). When the investigations are closed and it is deemed necessary to take disciplinary action, the case reports are handed to the Ethics Forum. The forum was founded in 2014, and is an oversight committee headed by the CEO with the specific aim of managing corrective actions when allegations of non-compliance are substantiated (: 68). During 2015, the majority of the decisions taken by the Ethics Forum “resulted in termination of employees but also warnings were issued in some cases” (: 60). Thus, TeliaSonera has the ability to act as a private justice regime, as “out-of-court settlements” appear to be an option for modifying organisational behaviour (contrasting public justice regimes, represented by state institutions and the use of criminal law) (see :46). However, TeliaSonera does not attempt to correct instances of non-compliance all by itself. In 2014, the corporation had a case concerning potential fraud within the corporation. Given the nature of the case, the investigation “required public announcement” and was therefore handed over to a local prosecutor. With regard to the involved actors, TeliaSonera writes that these employees are “no longer with the company” (: 68). This notion therefore illustrates that whilst TeliaSonera is a private actor, the corporation has the ability of employing public institutions in the pursuit of their own interests. As such, the state is not neglected – which would have been impossible in the case of TeliaSonera, as the Swedish state is the principal shareholder – but still has the ability to exert some influence over operations that are primarily kept within closed, private settings (cf. : 466–467).
A new regulatory regime
In the past three sections, it has been shown how TeliaSonera has transformed and extended their risk regulation regime in several ways in the years following the Uzbek affair. The norms informing the regime draw attention to the importance of TeliaSonera being a ‘social actor’, whilst simultaneously highlighting the need to increase the corporation’s financial and reputational capitals. These norms affected the means of setting standards in the aftermath of the Uzbek affair, as TeliaSonera assigned particular emphasis to corruption and bribery in the process of selecting and assessing risk. Furthermore, the corporation has extended its means of internal monitoring, primarily by establishing a series of new regulatory units: the Governance, Risk, Ethics and Compliance Meetings; the Sustainability and Ethics Committee; and the Speak-Up Line. TeliaSonera furthermore expanded regulation by initiating an external review of the transactions in Uzbekistan, and by constructing indexes to monitor the state of its internal sustainability work. With regard to enforcing compliance, TeliaSonera seeks to modify behaviour through a set of persuasive regulatory strategies within the realm of anti-corruption and bribery. These strategies are the primary responsibility of the newly established Ethics and Compliance Office. In addition, TeliaSonera draws on coercive strategies to investigate and correct potential breaches of ethical and legal frameworks, through the newly founded Special Investigations Office and the Ethics Forum. In conclusion, there have been substantial transformations in the way TeliaSonera manages risk in the aftermath of the Uzbek affair, illustrated by the expansion and heightened complexity within all stages of the corporation’s risk regulation regime.
In conclusion, TeliaSonera not only emphasised the areas of bribery and corruption in the aftermath of the Uzbek affair; it also organised a regulatory regime around them. However, whilst it might be expected that the regime was developed to minimise the risks of social harm that stem from bribery and corruption, there are aspects of the regime that do not primarily correspond with this objective. These aspects will be summarised and discussed in the following section.
Dual functions of corporate risk management
Firstly, in the analysis of TeliaSonera’s norms regarding corruption and bribery, it became apparent that whilst the corporation emphasizes the importance of managing social responsibility, this concern was at times made relative to either the corporation’s reputation or its profitability. Thereby, sustainability is constructed as means of achieving important corporate targets, rather than constituting the target itself, whilst reputational and monetary losses become constructed as risks. Furthermore, the way TeliaSonera positions itself as a ‘good citizen’ could be understood as a means of investing in reputational assets, since the corporate statements focused on TeliaSonera’s position in ‘risky’ societies, rather than the actual impact the corporation has on these societies. Thus, on the path towards ensuring compliance with demands for social responsibility, TeliaSonera’s emphasis falls on risks against the corporation – reputational and financial risk – and not on risks against the communities.
Secondly, in the analysis of TeliaSonera’s components for monitoring and enforcement, it was shown that several new regulatory units have been developed in the years following the Uzbek affair. Whilst limitations in the material hinder insight into the units’ actual operations, their mere existence and visibility illustrate how TeliaSonera has invested in an outward-facing and seemingly responsive regulatory regime – thus supporting the management of reputational risk (cf. : 135). This is also illustrated by the notion that the prevention of bribery is framed as a responsibility for the corporation as a whole, rather than primarily being a responsibility for the TeliaSonera management. Thereby, it can be suggested that (visible) regulatory expansion in itself is important, rather than regulatory expansion concerned with preventing the Uzbek affair from repeating itself.
Furthermore, by employing private law firms to review the investments in Eurasia and the subsequent allegations of bribery, TeliaSonera ‘owns’ the investigation and can thus decide whether or not the results ought to be made public. Similarly, the private investigations and corrective actions relating to the Speak-Up Line, the Special Investigations Office, and the Ethics Forum facilitates a degree of corporate discretion, as irregularities can be kept outside the public gaze, and cases of verified non-compliance can be corrected internally. The notion that corporations can ‘own’ their conflicts is not new, however this case illustrates how chances of negative publicity can be kept to a minimum since no external actors need to be involved in the process of monitoring and enforcement (cf. [35, 36]).
The present study argues that these aspects do not primarily fulfil the objective of managing the social risks related to corruption and bribery; instead, they primarily fulfil the objective of managing the reputational and financial risks of these crimes. Thus, conceptually, a distinction can be made between primary and secondary risks, i.e. between the risks TeliaSonera is explicitly expected to manage (social harm), and the risks that relates to TeliaSonera’s corporate position [1, 2]. The aspects of TeliaSonera’s regulatory regime summarised above – and highlighted in greater detail throughout the analysis – could be interpreted as secondary risk management, as the corporation attempts to minimise the prospect of reputational and financial losses, which is materialised in the way TeliaSonera has transformed its internal environment of crime control. Thus, while TeliaSonera’s new regulatory regime could be interpreted as an attempt to manage primary risks – suggesting that the function of minimising non-compliance with legal and ethical frameworks is to minimise the harmful impact of business conduct on society – the findings illustrate how its regime simultaneously is designed and employed to manage secondary risks.
Discussion and conclusions
This article has shown how TeliaSonera’s risk regulation has transformed and expanded in the aftermath of allegations of crime. It has been suggested that the regime in place to manage social and ethical risks simultaneously manages reputational and profitability-related risks, thus illustrating the dual functions of corporate risk management. The distinction between primary and secondary risk management should therefore not be understood as clear-cut, since primary risks can become translated into secondary risks (cf. : 58). For TeliaSonera, this translation process was initiated and amplified when the corporation’s failure to manage primary risks became publicly scrutinised in the light of the Uzbek affair. The core of the regulatory failure might therefore not be the failure itself, but rather the failure to maintain a legitimate corporate position in the eyes of its stakeholders (cf. : 71). This finding echoes previous research on how corporate CSR can be used to neutralise the risks attached to corporate conduct and maintain the corporation’s legitimacy [6, 7, 9, 25]. However, this also suggests that secondary risk management depends – or even parasitizes on – primary risk management. If the latter did not exist at all, TeliaSonera’s front stage performance would not gain the credibility and ‘account-ability’ the corporation needs in order to recover from the Uzbek affair.
The desire for legitimacy, which may be achieved through investments in CSR and corporate philanthropy, may be even greater for TeliaSonera with regard to its ownership structure. As previously mentioned, the Swedish state is the principal shareholder in TeliaSonera. As such, the Uzbek affair not only had the potential of harming the corporation’s reputation, legitimacy and in the long run, profitability; but also of creating distrust against the Swedish state as a responsible owner. Thus, the legitimacy of the state itself was threatened, which becomes evident in the way its ownership in TeliaSonera was questioned in national media after the Uzbek affairs’ unfolding (e.g. ). This obvious intertwining between ‘public’ and ‘private’ interests could have amplified the need of secondary risk management, as the state’s legitimacy as a business owner – and as the overall provider of social welfare – is at stake, alongside the legitimacy of the corporation itself (cf. : 705).
Apart from being a means for corporations to position themselves – and in this particular case, the state – as legitimate actors, CSR is also a means for the state to govern corporations, by making them engage in self-regulation. As touched upon earlier in this article, the regulatory landscape is characterised by a dispersal of control as the state operates ‘at a distance’, by responsibilising actors and organisations to fulfil state-set targets and responsibilities (: 153). The Swedish state is a prime example of that. Along neoliberal lines of reasoning, the state has responsibilised all state-owned enterprises with the task of safeguarding human and environmental rights in the course of conducting business, through self-regulatory measures like constructing internal policies and strategies (: 22f).4 Thus, corporations entering the regulatory landscape find themselves with a discretionary space, as the implementation of these responsibilities into their regulatory regimes is left in their own hands. Arguably, this suggests that the responsibilisation strategy allows for private interests in corporate risk regulation, since the state must govern with the interests of the corporations and through their freedom, in order for governance to be successful (see : 81, 118). By making corporations new sites of regulatory control in the realm of social and environmental responsibility, it becomes possible for corporate interests to be included in the regulatory process – which is here illustrated by TeliaSonera’s management of secondary risks.
Given these findings, the case of TeliaSonera offers a suggestive example of how a non-state partakes in the task of controlling risks of harmful and illegal behaviour – responsibilities that are traditionally associated with the nation state (see e.g. : 515) – by engaging in self-regulation. Of particular interest is the way in which TeliaSonera’s regulatory regime fulfils dual, often intertwining, functions, further illustrating the present diversity within the regulatory landscape with regard to the regulators’ interests and objectives (cf. : 468). The process in which primary risks become translated into secondary risks is understood as a trend towards ‘the risk management of everything’ (: 58). By drawing on the case of TeliaSonera, this article suggests that the responsibilisation strategy amplifies this process, by contributing to the decentralisation of the regulatory landscape.
To find relevant Press Releases, the following search words were used, either by themselves or combined: sustainab*; CSR; social* responsib*; ethic*; Eurasia; risk; governance; compliance*.
These are anti-corruption; freedom of expression; customer privacy; and occupational health and safety (Annual and Sustainability Report 2014: 55).
The state’s ownership policy is revised and reprinted each year (the latest to date was published in 2017). Here, however, the framework from 2007 was chosen since this was the year TeliaSonera began to establish itself in Uzbekistan, and thus these were the state’s ownership policy at that particular time.
I am grateful to Janne Flyghed and Isabel Schoultz, and the two anonymous reviewers, for their helpful comments on earlier drafts of this article. I am also grateful to Tea Fredriksson, for improving the language of this article.
This research was conducted within the context of the research project “Business as usual. Corporate strategies in response to allegations of crime”, financed by Riksbankens Jubileumsfond (RJ P15–0176:1) managed by Janne Flyghed and Isabel Schoultz.
Compliance with ethical standards
Conflict of interest
The author declares that there are no conflicts of interest.
- 1.Power, M. (2004a). The risk management of everything. The Journal of Risk Finance, 5(3), 58–65.Google Scholar
- 2.Power, M. (2004b). The risk management of everything: Rethinking the politics of uncertainty. London: Demos.Google Scholar
- 3.Friedrichs, D. O. (2010). Trusted criminals: White collar crime in contemporary society. 4 th ed. Belmont: Wadsworth.Google Scholar
- 4.Michalowski, R. J., & Kramer, R. C. (Eds.). (2006). State-corporate crime: Wrongdoing at the intersection of business and government. Brunswick, N.J: Rutgers University Press.Google Scholar
- 5.Tombs, S., & Whyte, D. (2014). The corporate criminal: Why corporations must be abolished. Abingdon: Routledge.Google Scholar
- 6.Roberts, J. (2003). The manufacture of corporate social responsibility: Constructing corporate sensibility. Organization, 10(2), 249–265.Google Scholar
- 7.Bittle, S., & Snider, L. (2013). Examining the Ruggie report: Can voluntary guidelines tame global capitalism? Critical Criminology, 21(2), 117–192.Google Scholar
- 8.Garsten, C., & Jacobsson, K. (2011). Post-political regulation: Soft power and post-political visions in global governance. Critical Sociology, 39(3), 421–437.Google Scholar
- 9.Banerjee, S. B. (2008). Corporate social responsibility: The good, the bad and the ugly. Critical Sociology, 34(1), 51–79.Google Scholar
- 10.Engdahl, O., & Larsson, B. (2015). Duties to distrust: The decentring of economic and white- collar crime policing in Sweden. British Journal of Criminology, 56(3), 525–536.Google Scholar
- 11.Telia Company (2017a). Once upon a time… https://www.teliacompany.com/en/about-the-company/history/. Accessed 1 April 2017.
- 12.Telia Company (2017b). Shareholders. https://www.teliacompany.com/en/about-the-company/corporate-governance/shareholders/. Accessed 1 April 2017.
- 13.Transparency International (2017). Uzbekistan. Corruption Perception Index 2016. https://www.transparency.org/country/UZB. Accessed 1 November 2017.
- 14.Human Rights Watch (2017). Uzbekistan. https://www.hrw.org/europe/central-asia/uzbekistan. Accessed 1 November 2017.
- 15.Uppdrag Granskning (2012). TeliaSonera i miljardaffär med diktatur. SVT Nyheter. http://www.svt.se/nyheter/granskning/ug/teliasonera-gjorde-miljardaffar-med-diktatur-genom-bolag-i-skatteparadis. Accessed 1 April 2017.
- 16.Schoultz, I., & Flyghed, J. (2016). Doing business for a “higher loyalty”? How Swedish transnational corporations neutralise allegations of crime. Crime, Law and Social Change, 66(2), 183–198.Google Scholar
- 17.Stockholm District Court [Stockholms Tingsrätt] (2017). Målnr. B 12201–17.Google Scholar
- 18.Garland, D. (1997). Governmentality’ and the problem of crime: Foucault, criminology, sociology. Theoretical Criminology, 1(2), 173–214.Google Scholar
- 19.Lindgren, S.-Å. (2007). Säkerhet, effektivitet och rättvisa. Observationer om social kontroll av näringslivsverksamhet. In H. von Hofer & A. Nilsson (Eds.), Brott i välfärden: festskrift till Henrik Tham (pp. 241–262). Stockholm: Stockholms Universitet.Google Scholar
- 20.Power, M. (2007). Organized uncertainty: Designing a world of risk management. Oxford: Oxford University Press.Google Scholar
- 21.Clarke, M. (2000). Regulation. The social control of business between law and politics. London: Macmillan Press.Google Scholar
- 22.Baldwin, R., Cave, M., & Lodge, M. (2011). Understanding regulation. Theory, strategy, and practice. Oxford: Oxford University Press.Google Scholar
- 23.Ericson, R., & Haggerty, K. F. (1997). Policing the risk society. Oxford: Clarendon Press.Google Scholar
- 24.Hood, C., Rothstein, H., & Baldwin, R. (2001). The government of risk: Understanding risk regulation regimes. Oxford: Oxford University Press.Google Scholar
- 25.Laufer, W. S. (2003). Social accountability and corporate greenwashing. Journal of Business Ethics, 43(3), 253–261.Google Scholar
- 26.Harjoto, M. A., & Jo, H. (2011). Corporate governance and CSR nexus. Journal of Business Ethics, 100(1), 45–67.Google Scholar
- 27.Tombs, S., & Whyte, D. (2003). Introduction: Corporations beyond the law? Regulation, risk and corporate crime in a globalised era. Risk Management, 5(2), 9–16.Google Scholar
- 28.Kuldova, T. (2017). When elites and outlaws do philanthropy: On the limits of private vices for public benefit. Trends in Organized Crime, 21(2), 1–15.Google Scholar
- 29.Singla, A., & Sagar, P. (2004). Trust and corporate social responsibility: Lessons from India. Journal of Communication Management, 8(3), 282–290.Google Scholar
- 30.Ryan, G. W., & Bernard, H. R. (2003). Techniques to identify themes. Field Methods, 15(1), 85–109.Google Scholar
- 31.Goffman, E. (2014). Jaget och maskerna: en studie i vardagslivets dramatik (6th ed.). Stockholm: Studentlitteratur.Google Scholar
- 32.Crawford, A. (2006). Networked governance and the post-regulatory state? Theoretical Criminology, 10(4), 449–479.Google Scholar
- 33.Engdahl, O. (2009). Barriers and back-regions as opportunity structures for white collar crime. Deviant behaviour, 30(2), 115–143.Google Scholar
- 34.Hood, C., Rothstein, H., Baldwin, R., Rees, J., & Spackman, M. (1999). Where risk society meets the regulatory state: Exploring variations in risk regulation regimes. Risk Management, 1(1), 21–34.Google Scholar
- 35.Croall, H. (2003). Combating financial crime: Regulatory versus crime control approaches. Journal of Financial Crime, 11(1), 45–55.Google Scholar
- 36.Flyghed, J. (2017). Privatisation of intelligence-led policing: auditors doing forensic work. In N. Fyfe, H. O. Gundhus, & K. V. Rønn (Eds.), Moral issues in intelligence-led policing (pp. 204–219). Abingdon, Oxon: Routledge.Google Scholar
- 37.Aftonbladet (2013). Seko: Staten måste ta grepp om de statliga bolagen. https://www.aftonbladet.se/debatt/a/OnW1nq/seko-staten-maste-ta-grepp-om-de-statliga-bolagen. Accessed 17 August 2018.
- 38.Roper, J., & Orgad, M. (2011). State-owned enterprises: Issues of accountability and legitimacy. Management Communication Quarterly, 24(4), 693–709.Google Scholar
- 39.Aas, K. F. (2013). Globalization and crime. London: SAGE.Google Scholar
- 40.Government Offices [Regeringskansliet]. (2007). Verksamhetsberättelse för företag med statligt ägande. Stockholm: Näringsdepartementet.Google Scholar
- 41.Valverde, M. (2017). Michel Foucault. Abingdon, Oxon New York: Routledge.Google Scholar
- 42.Sveriges Radio (2012). Peter Norman kräver ändring i Telias styrelse. https://sverigesradio.se/sida/artikel.aspx?programid=83&artikel=5296311. Accessed 17 August 2018.
- 43.Braithwaite, J. (2003). What's wrong with the sociology of punishment? Theoretical Criminology, 7(1), 5–28.Google Scholar
- 44.Hearit, K. M. (1995). "Mistakes were made": organizations, apologia, and crises of social legitimacy. Communication Studies, 46, 1–17.Google Scholar
- 45.Muchlinski, P. (2003). The development of human rights responsibilities for multinational enterprises. In R. Sullivan (Ed.), Business and human rights: dilemmas and solutions (pp. 33–51). Sheffield: Greenleaf.Google Scholar
- 46.TeliaSonera (2010). Corporate Responsibility Report.Google Scholar
- 47.TeliaSonera (2011). Corporate Responsibility Report.Google Scholar
- 48.TeliaSonera (2012). Sustainability Report.Google Scholar
- 49.TeliaSonera (2013). Annual Report.Google Scholar
- 50.TeliaSonera (2013). Sustainability Report.Google Scholar
- 51.TeliaSonera (2013). Interim Report, January-March.Google Scholar
- 52.TeliaSonera (2013). Interim Report, January-June.Google Scholar
- 53.TeliaSonera (2013). Press release 2013-02-01.Google Scholar
- 54.TeliaSonera (2013). Press release 2013-04-18.Google Scholar
- 55.TeliaSonera (2013). Annual General Meeting: transcript of CEO speech.Google Scholar
- 56.TeliaSonera (2014). Annual and Sustainability Report.Google Scholar
- 57.TeliaSonera (2014). Annual General Meeting: transcript of CEO speech.Google Scholar
- 58.TeliaSonera (2014). Annual General Meeting: transcript of Chairman of the Board’s speech.Google Scholar
- 59.TeliaSonera (2015). Annual and Sustainability Report.Google Scholar
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.