Technologies of Compliance: Risk and Regulation in a Digital Age, 88 Tex. L. Rev. 669 (2009)
Legal scholarship has been silent about a phenomenon with profound implications for governance: the automation of compliance with laws mandating risk management. Regulationsâ€šÃ„Ã®from bank capitalization rules, to Sarbanesâ€šÃ„Ã®Oxley's provisions on financial fraud and misrepresentation, to laws governing information-privacy protectionâ€šÃ„Ã®frequently require regulated firms to develop internal processes to identify, assess, and mitigate risk. To comply, firms have turned wholesale to technology systems and computational analytics that measure and predict corporate risk levels and â€šÃ„Ãºforceâ€šÃ„Ã¹ decisions accordingly. In total, the third-party market for compliance-technology productsâ€šÃ„Ã®known generally as â€šÃ„Ãºgovernance, risk, and complianceâ€šÃ„Ã¹ (GRC) software, systems, and servicesâ€šÃ„Ã®alone grew to $52 billion last year, and this growth is poised to increase exponentially. While these technology systems offer powerful compliance tools, they also pose real perils. They permit computer programmers to interpret legal requirements; they mask the uncertainty of the very hazards with which policy makers are concerned; they skew decisionmaking through an â€šÃ„Ãºautomation biasâ€šÃ„Ã¹ that privileges personal self-interest over sound judgment; and their lack of transparency thwarts oversight and accountability. These phenomena played a critical role in the recent financial crisis. This Article explores these developments and the failure of risk regulation to address them. While regulators have lauded the turn to technology, they have ignored its perils. By contrast, this Article investigates the accountability challenges posed by these and other technologies of control, and suggests specific reform measures for policy makers revisiting the governance of risk. This Article argues for more activist regulator oversight backed by sanctions before disaster has occurred. But it also emphasizes collaboration in developing risk-management systems, drawing both on the granular expertise of firms and the broader vantage of administrative agencies. Most importantly, it seeks better to reflect the human decisionmaking element at both levels: to recognize the ways in which technology can hinder good judgment, to reintroduce human inputs in the decision process, and to reflect the limits of both human and computer reasoning.