When Controls Get Out of Control
Effective risk management sometimes leads to new laws and regulations. This can be great, like when workplace safety regulations addressed and eased horrific factory working conditions in the early 20th century. But over time, society changes, and regulations originally designed to achieve a laudable goal can also grow and change, becoming more complex until the regulations begin detracting from companies’ core businesses without actually reducing risk. The costs begin to outweigh the benefits.
For example, as an owner of a one-person business, I had to fill out an I-9 form for myself when I started payroll. The original goal of this requirement is to ensure employers hire only documented immigrants. But the eventual effect, in the 2010s, was that I found myself at a FedEx Kinko’s making a copy of my own passport for my own files to meet compliance requirements. It’s a small example but hopefully an illustrative one. This was not a good use of time and certainly not what the people who wrote the regulation originally intended.
Additionally, the sheer number of laws and regulations almost always increases over time and only rarely decreases. A little more is added and then a little more, until the combined bureaucratic weight crosses the line and stifles businesses rather than helping them operate safely. Ask doctors how they feel about the well-meaning requirements to use electronic health records. Or look at the plummeting number of de novo (new) banks post-2008, including small community banks.
So, wait. You’re a former regulator who’s anti-regulation?
Not at all. On the whole, laws and regulations have made modern life much better. But interesting nuances abound: we’ve gone too far in some areas (such as regulating tiny businesses) and not far enough in others (such as regulating huge businesses). And some industries (such as finance and medicine) are more regulated than others (such as technology and media), but even within highly regulated industries, that regulation is applied unevenly and in non-optimal ways. Consider hedge funds versus large sell-side banks, or private versus public companies. In a changing society where external factors are never static, it can be difficult to strike the right balance of risk management.
One possible solution to the uneven application of risk management, and the subsequent uneven build-up of controls and regulations, is periodic reassessment. It would be wonderful to have built-in checkpoints in the risk management and governance process to ask, “Have we made things too hard? And, if so, how can we reduce the burden without adding additional bureaucracy or compromising the original goal of the regulation?”
And, conversely, “Where are we not looking enough? Where is revenue burgeoning while controls lag? And what are the right leverage points to make those areas less risky, based on in-depth understanding of the process?” Identifying the wrong leverage points can lead to sub-par risk management that’s heavy on compliance checklists and low on true risk reduction.
The cultural context
One reason why regulations trend upward over time is a bit counter-intuitive. For a risk manager, it’s easy to recommend—and defend—adding another requirement. It looks like doing your job. But it’s much harder to recommend and defend the removal of a requirement. If you’re wrong—if streamlining a process makes risk increase—then liability can come into play in a way that it doesn’t when adding requirements.
So, to support streamlining of risk controls, corporate culture would need to change to champion well-supported (not haphazard!) removal of requirements that no longer serve their intended purpose—or that never did because they targeted the wrong leverage points. An organization with good data science and analysis capabilities, and strong incentives to find accurate answers in data instead of just massaging it to support desired conclusions, has the best chance of having good risk management, too.
There are examples of control relaxation succeeding on a relatively small scale. For example, the information security industry has successfully moved the standard from “change passwords frequently” to “use strong passwords, supported by multi-factor authentication, changed only when necessary.” Forcing users to change passwords every 30, 60, or 90 days was the wrong leverage point. It led to an assembly line of similar passwords: bobisSupeR1, bobisSupeR2, bobisSuperR3!, and so on until one of Bob’s passwords was compromised and it became trivial to figure out the small tweaks he made every 30 days. Much better to have Bob create a truly difficult password—maybe nkJtBE1#tOG2$tSS3} (though don’t use this as your password now!)—and then support it with multi-factor authentication, changing it only when data or suspicion indicate it may be compromised. The National Institute of Standards and Technology (NIST), which publishes guidance on information security, successfully backed off its earlier recommendation for frequent password changes, and it worked.
How about a bigger example of a control that’s gotten out of control?
Sure. Term limits are a wonderful thing; they prevent calcification and stagnation in government. But it’s become crazy to have US congressional representatives running for re-election every two years. That election approach might have worked when the US was founded—when media cycles weren’t 24/7, information took time to travel by postal mail, and re-election campaigns weren’t so all-encompassing. In that bygone time, representatives might have had lots of time to govern, with short breaks for election campaigning in their home states.
But now? Congressional representatives spend tons of time campaigning and correspondingly less time governing. Society has changed, and our laws and regulations haven’t. So, congressional representatives are less effective than they could be at the core task of governing.
Okay, what else?
Let’s talk about quarterly earnings. Public companies spend a lot of time preparing, delivering, and following up on these every-90-days snapshots. In the market at large, “earnings season” spans about two months every quarter as companies report their recent progress and often tank or soar in reaction to not just their own results, but also surrounding market conditions and the echoes of market reactions to other similar companies’ results. In our relentless 24/7 media hype cycle amplified by Reddit meme chambers, it’s a cacophony of sound and fury.
For a single company, the process is somewhat less daunting: there’s a specific earnings date, so the endeavor is limited to preparation, review, and approval of results, publication and discussion of results on the actual earnings date, and internal monitoring and reporting afterward. But that’s still a lot, especially in an era when Internet infrastructure already allows companies to communicate in real-time with customers, suppliers, counterparties, and shareholders about actual business issues as they arise.
Sure, large companies can dedicate entire teams to earnings reports while leaving other employees free to pursue the core business of the company. But high-level executives unavoidably have a major focus on earnings: they’re required to be on earnings calls with analysts, and they’re required to sign off on quarterly reports. Private companies may have an advantage because high-level executives can focus on boosting long-term performance without prioritizing artificial milestones and snapshots, or considering the implications of disappointing shareholders in the short-term in order to build for the long term.
So, what’s a solution? Investors deserve information.
Yes, they do. Earnings reports provide vital information to investors as a snapshot of recent performance. Company executives share context about that performance and forward-looking guidance that helps market participants adjust expectations upward or downward. Investors can decide whether to buy, sell, or hold their shares.
But since companies are increasingly required to report material events to shareholders as they occur, the marginal gain from having earnings season four times a year instead of, say, twice may be shrinking. And the potential gain from allowing companies to focus more on long-term business development and less on short-term performance targets may be growing larger, since an argument can be made that a decades-long focus on short-term results has undermined infrastructure, economies, and citizens’ well-being.
Quarterly reporting has been the standard in the US since 1970, but from 1955 to 1970, reporting was semiannual. So this isn’t necessarily set in stone forever. A retrospective CFA Institute study didn’t find much impact among UK companies when the requirement was rolled back from quarterly to semi-annual in the EU in 2014, but large companies tended not to switch to semi-annual reporting even though they could, so this deserves further consideration and assessment.
Let’s get to the takeaway.
The main point here is not to argue that earnings season should occur less often, or that congressional representatives should have longer terms, but to point out that the original rationales for system checkpoints and controls require periodic reassessment, even though this rarely happens. In short: The world changes over time. Risk management and regulation are often slow to change with it.
Sometimes, new regulations are needed. But at other times, old regulations need to change or be dropped, and it seems fiendishly difficult to push through this type of measure in our modern society. It’s riskier for risk managers to remove or relax controls than it is to add them. But the weight of bureaucratic cruft is getting heavier and heavier, and lightening some of that load—while preserving the original goals of the requirements—can be the best way to manage risk.
-<>-<>-<>-
Extra, Extra!
Three links from the depths of my bookmark archives; think of these as tangential extras for curious readers:
1. Fates of humans and insects intertwined - by Damian Carrington in The Guardian - succinct coverage of the extinction crisis among insects.
2. Science really does advance one funeral at a time, study suggests - by Dalmeet Singh Chawla in Chemistry World - stagnation blockades science, too; it shouldn’t have to be this way.
3. Medical Neuroscience - by Leonard E. White, Ph.D. at Duke University - one of the best and toughest classes on Coursera, for those who want a true in-depth learning experience.