Freedom and its Digital Discontents

In the first few years after the passage of Sarbanes-Oxley (SOX), the
post-Enron corporate governance law that mandated elaborate processes for
controlling risks, many executives groused about the costs of

But one firm and one CEO wholeheartedly embraced the law and claimed to use
it as the background for its sophisticated risk-management system.

In 2003, less than a year after the law was enacted, this firm’s CEO put an
independent accounting expert on the board of directors, and reconfigured the
board so that 11 out of its 13 directors were independent, as prevailing
corporate governance theory encouraged. "While our board possessed strong
financial proficiency,” the CEO stated proudly in a company press release, “it
was important to have a board member who met the specific criteria outlined by
Sarbanes-Oxley for financial expertise as we chart the course for [the firm]
over the next several years.”

In the next few years, many laudatory stories were written about this
company’s seemingly marvellous approach to risk management. In 2007, the
Institute of Internal Auditors’ Research Foundation profiled it in a case study
of “how compliance with the Sarbanes-Oxley Act of 2002 can be expanded into
Enterprise Risk Management”. The study described in breathless tones
how the company’s unique risk management software featured “530 risk matrices,
9,500 risks, and 27,000 controls.”

Since the beginning of this year, this firm has been in the news even more
often for its approach to risk management. But the stories have not been quite
as laudatory. The name of this firm touted just a year ago as paragon of
corporate compliance virtue: Countrywide Financial Corporation.

And the CEO who praised Sarbanes-Oxley as helping set the course for the next
few years is Angelo Mozilo, who is now trying to explain the company’s risk
management of mortgage securities to angry shareholders and federal agencies
from the Securities and Exchange Commission (SEC) to the Federal Bureau of

Written only a year ago, these passages in the Auditors’ Research Foundation
study on Countrywide’s enterprise risk management (ERM) programme now seem
impossible to read without laughing, or for many in the financial industry,

The passage reads: “Countrywide Financial Corporation, the subject of our
first case study, has the most comprehensive ERM program we have seen. Readers
who want to know how a state-of-the-art ERM program operates will see it
illustrated through Countrywide’s example.”

The irony is that all these descriptions of Countrywide’s risk management
practices may be essentially true. The company certainly did have many bells and
whistles and may have been doing just what laws such as SOX prescribed. The real
folly that this illustrates is the notion that politicians can somehow dictate
risk management for individual firms. Rather, risk management should be thought
of as any other commodity. And that is as an item that a market, free of
distortion from government regulations and subsidies, will produce at an optimum
level due to forces of supply and demand.

My boss, the president of the Competitive Enterprise Institute, Fred L.
Smith, has made the distinction between risk management that is “hierarchic and
political” and that which is “decentralized and competitive”. In his essay
“Cowboys Versus Cattle Thieves”, published in the 2003 Cato Institute book
Corporate Aftershock, Smith argues that the question is not whether risks should
be managed, “but rather how they should be regulated and by whom”.

Examples of competitive risk management that have developed in the private
sector include the famous “Six Sigma” practices. Originated at Motorola in 1986,
the practices have been picked up by many companies as a method of reducing
product defects. These types of “competitive risk management institutions”,
Smith writes, “evolve to enforce a set of general principles rather than
explicitly prescribe permissible behavior”. He argues that this has the virtue
of “allowing the parties to better obtain the level of risk they prefer” and
“remaining open to further refinements over time”.

Political, or government-mandated, risk management, by contrast, “is futile
because the risk management strategies of today will prove inadequate to address
the risks of tomorrow,” Smith writes. And indeed that seems to be what happened
with SOX and the situation at Countrywide. Section 404 of SOX, as interpreted by
the Public Company Accounting Oversight Board, mandates that auditors verify a
broadly defined set of “internal controls” at public companies. Auditors have
been known to look at things of such little relevance to shareholders as the
number of letters in employee passwords and which employees have office

Countrywide jumped through these hoops very well. But the best set of
internal controls cannot replace business judgment. And as debt replaced equity
for much of business financing, in significant part as a result of the high
costs of SOX, and business financing was mixed with mortgage debt in innovations
such as asset-backed commercial paper, new risks emerged.

With the multiple players involved in mortgage woes, the current crisis may
seem at first appearance a failure of decentralized risk management. But in at
least one important respect, the failure was due to reliance on top-down
institutions protected by regulation. These are America’s two main credit rating
agencies. Since the 1970s, The SEC has blocked competition by not accrediting
competing firms, while other US financial regulators have required institutions
such as banks and pension funds to only carry assets given a high rating by
these firms.

This has led to an unnatural reliance on the rating agencies to evaluate debt
instruments. It is worth noting, as the American Enterprise Institute’s Peter
Wallison does, that lightly regulated hedge funds were some of the
only financial institutions going against the subprime grain.

The market for risk management, like the market for all goods, does not lead
to perfection. There will always be bankruptcies and business failures, unless
we want to shut down growth and have a lower standard of living for all of us.
But if risk management institutions were allowed to emerge, evolve and truly
compete, much of today’s volatility and uncertainty would be greatly reduced.