Types of Power at Work: Weber’s Three Sources of Authority (and Why They Matter)

How to tailor risk team stategy to the culture of the organisation to increase the likelihood that valid challenge will be constructively engaged with.

The views and opinions expressed on this account are my own and do not reflect the official policy or position of my employer.  Any content provided is for informational purposes only and should not be considered or relied upon as professional advice.

Why do some people get decisions pushed through—even when there’s serious pushback—while others struggle to influence anything beyond their immediate team? One useful way to think about this is Max Weber’s classic view of organisational power[i]: the ability of one person to have their will carried out despite resistance. That power becomes legitimate authority when the organisation broadly accepts that a person is entitled to use it in a particular domain (for example, a CFO challenging the accuracy of financial reports, or a people manager making hiring decisions).

Weber breaks legitimate authority into three sources: traditional, bureaucratic, and charismatic. In reality, leaders usually blend all three, but separating them makes it much easier to understand how decisions really get made.

Traditional authority

Traditional authority comes from “the way things have always been done.” It’s rooted in customs, history, inheritance, or religion. In organisational life, you can see echoes of this when a founder’s view carries extra weight because “they built this place,” or when a family-owned business treats certain roles as hereditary. It doesn’t require formal qualifications, although competence often matters if the wider group is going to keep accepting it.

Bureaucratic authority

Bureaucratic authority is authority that comes from rules: laws, policies, governance, job descriptions, decision rights, and formal processes. The crucial point is that this kind of authority sits in the role, not the person. A CEO can overrule decisions because the organisation grants the position that right; if they’re demoted, that personal authority can largely disappear with the job title. This is why hierarchies can feel stubborn: even if you think a leader is making poor calls, only a limited set of people (or bodies) are formally empowered to override or remove them.

Charismatic authority

Charismatic authority comes from the person: their skills, presence, reputation, and ability to persuade a group. It can be incredibly powerful, and also fragile. Because it depends on ongoing belief in the leader, shifts in performance, context, or perception can weaken it quickly (whether fair or not). It’s also why some charismatic leaders try to “lock in” their influence by converting it into something more stable, for example formal governance (bureaucratic authority) or a founder-legend narrative (traditional authority).

Of course, real life is messy: leaders usually draw on a mix of these sources of legitmacy depending on the moment. Steve Jobs is a good illustration. Over time, he accumulated something like traditional authority (seen as intertwined with Apple’s identity), bureaucratic authority (as the head of the corporation), and charismatic authority (through product storytelling and personal brand). Likewise, many successful monarchs didn’t rely on tradition alone—they reinforced it with charisma; and when charisma was lacking, they often tried to stabilise legitimacy by formalising powers through law and institutions.

So What?

None of these sources of authority is inherently “good” or “bad.” But if you don’t understand how authority is conferred and maintained within and across your organisation, you can end up designing challenge and governance mechanisms that look robust on paper but fail in practice.

If your job involves scrutiny, risk, compliance, audit, or simply “speaking truth to power,” it helps to diagnose which kind of authority is doing the work in a given situation, and which kind your organisation rewards.

For example, if promotions implicitly favour charismatic leaders, the organisation may (often unintentionally) underinvest in the unglamorous foundations of bureaucratic authority: documentation, clear roles, and governance. In that context, pushing for more formality can feel (rightly or wrongly) like a challenge to the basis on which leaders earned their status in the first place. And where a founder has built a company from scratch (and maybe even shares its name), they may hold a level of traditional authority that is extremely hard to confront head-on. Developing influence to successfully challenge decision-making may depend on working earlier, more informally, or shaping options before public positions are taken.

How Risk Teams Should Respond

Each of Weber’s three types of power can be used for good and for ill (at least from a risk team’s perspective).  Risk teams don't just need to incorporate an assessment of authority type where it is being used to undermine challenge or sideline the risk team: understanding authority type can help risk teams to anticipate how future unwelcome challenge could be thwarted in the future.

Bad Bureaucracy

Whilst the standard risk management toolset tends to be most effective in an organisation whose power structure is dominated by bureaucratic authority, bureaucracy can be used to thwart legitimate challenge.  Leaders can hide behind procedure and protocol, for instance by:

• Ensuring that risk teams are engaged too late in the decision-making process to provide useful challenge,

• Utilising overly rigid governance processes to minimise opportunities for challenge.

• Incorporating well documented processes that meet the letter, but not the spirit of risk recommendations.

• An over-concentration of decision-making power with function heads, with insufficient peer group, or cross-silo scrutiny

In this scenario, risk team strategy should:

• In the short-term work informally with key decision-makers outside of bureaucratic structures to influence the decision-making process, particularly with respect to purpose, scope and methodology.  Once a decision has been “set up” in a “bad bureaucracy” power structure it can be difficult to influence the outcome.

• In the medium-term seek to challenge the bureaucratic process and business norms that allow risk to be sidelines.  This will likely take the form of, firstly, identifying what needs to change, and then, secondly, seeking to utilise “plastic moments” [The Overton Window, Social Capital & Risk Management] where organisations are likely to be most receptive to change.

Traditional Authority

Risk team social license [Social License & Risk Management] tends to be granted at the pleasure of senior managers with traditional authority.  Traditional authority tends not to be obstructive to risk teams as long as their behaviour, activities and findings of the risk teams are not perceived to undermine it.  Traditional authority also tends to be more receptive to challenge compared to charismatic authority as it is normally more secure.

In a Traditional Authority environment, it is best for Risk teams to seek to clarify as clearly as possible what falls inside and outside their social license, and to regularly reaffirm this position through informal meetings.  Risk team strategy should explicitly seek to expand the team’s social license, primarily by increasing trust.

Where Risk investigations or findings fall outside their social license they need to be first raised (cautiously and informally) to, and agreed by, those individuals who hold traditional authority.

Charismatic Authority

Charismatic authority can be the most difficult power type for risk teams, as it is the least stable and can be quite erratic.  As with traditional authority, charismatic authority tends not to be obstructive to risk teams as long as their challenge is not perceived to be undermining it.  Risk teams should seek to understand what areas of challenge could be seen as a threat, and adapt their challenge strategy accordingly.

As charismatic authority is dependent on an individual’s ability to influence their peers, it is vulnerable to bureaucracy (this is starting to sound like a game of rock, paper, scissors!).  Risk teams should utilise a bifurcated strategy depending on context:

• Non-confrontational (preferred!): Seek to raise risk issues and concerns informally with stakeholders so that a compromise / way forward can be agreed privately, without any public loss of social capital to the individual(s) wielding Charismatic Authority.

• Confrontation (last resort!): Challenge of decision-making should focus on process and methodology, rather than outcome or purpose.  It is best done at in a formal, minuted, group forum. Care needs to be taken to ensure that the risk team has oversight of, and input to, any record of the meeting and agreed actions, because these can be manipulated after the fact.  Charismatic individuals are very adept at isolating and influencing individual members to overturn group decisions.

Final Thoughts

Clearly, the ideal situation for risk teams is to work in organisations that value their input at all times. But organisations are made up of individuals whose status will sometimes be threatened, and status-threatened individuals will often seek to control their narrative, and undermine voices (such as the risk team's) that undermine that narrative. It would be nice to never have to work in an organisation where that is the case, but I just don't think that's how the world works. I have found the above framework very useful in making risk challenge more effective - working with the organisation as it is, rather than as I would like it to be.

I hope this blog sparks ideas and discussion. If you found it interesting, please share or connect with me on LinkedIn to contribute or provide feedback! 

[i] Max Weber, Economy and Society: A New Translation (2019, edited and translated by Keith Tribe).