Technologies of compliance: Risk and regulation in a digital age

Texas Law Review

Volumn 88, Issue 4, 2010, Pages 669-739

  Bamberger, Kenneth A ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 78649292048     PISSN: 00404411     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Review

References (458)

1. Joe Nocera, Risk Management: Were the Measures Used to Evaluate Wall Street Trades Flawed? Or Was the Mistake Ignoring Them?, N.Y. TIMES, Jan. 4, 2009, (Magazine), at 24, 27.
2. The firm even alleges that if insurer AIG had been allowed to fail in September 2008, Goldman would not have been hurt despite the fact that it held $13.98 billion in collateralized debt obligations written by AIG. See Peter Eavis, Goldman's Price of Protection, WALL ST. J., Mar. 18, 2009, at C14 ("If Goldman were able to withstand the bankruptcy of a large counterparty like AIG without material hits, it would bolster the view that Goldman is a savvy risk manager, and that its stock deserves to trade at a premium to other banks to reflect that.").
3. See infra note 41.
4. See Steve Eder et al., Goldman Trims Pay, Posts Profit as Shares Fall, REUTERS, Jan. 21, 2010, available at http://www.reuters.com/article/ idUSTRE60K2ZZ20100121 ("[T]he Wall Street bank report[ed] a record profit for 2009 and a better-than-expected fourth-quarter net income of $ 4.95 billion.").
5. See Editorial, On Top of the World: Goldman Sachs, ECONOMIST, Apr. 29, 2006, at 11 (chronicling that Goldman built a "proprietary technology system" that was "unmatched at rivals").
6. See Nina Mehta, FEN One on One Interview with Emanuel Derman, FINANCIAL ENGINEERING NEWS, July/Aug. 2003, http://www.ederman.com/new/docs/fen-interview. html. In this interview, former Goldman risk modeler Emanuel Derman observed: In a good way, Goldman Sachs was eclectically irreligious about what was the right way to look at risk. We didn't just rely on VAR. Estimates of the probability of bad things happening are notoriously poor because crises don't repeat themselves in exactly the same way. We relied on scenario analysis and stress-testing as well. There were limits on positions, for instance, in order to limit the loss that would occur under a repeat of the 1998 countrydefault scenario.
7. Id.
8. Nocera, supra note 1, at 27.
9. Id.
10. See generally Paul N. Otto & Annie I. Antón, Managing Legal Texts in Requirements Engineering, in DESIGN REQUIREMENTS ENGINEERING: A TEN-YEAR PERSPECTIVE 374, 374 (K. Lyytinen et al. eds., 2009) ("Requirements for software systems are increasingly originating in laws and regulations.").
11. See, e.g., 12 U.S.C. § 281 (2006) (requiring that any bank within the Federal Reserve system have "subscribed capital" of at least $4 million); id. § 461(b)(2)(A) (mandating that banks maintain a percentage of reserves as determined by the Federal Reserve Board of Governors); infra notes 64-67 and accompanying text.
12. See Sarbanes-Oxley Act of 2002, 15 U.S.C. § 7262 (2006) (requiring companies to develop internal controls to ensure the accuracy of financial reports and disclosures); infra text accompanying note 47.
13. See, e.g., Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801, 6805(a) (empowering various agencies to promulgate data-security regulations for financial institutions); 16 C.F.R. § 314.3 (2009) (instructing firms to develop risk-assessment and data-security systems "appropriate to [their] size and complexity, the nature and scope of [their] activities, and the sensitivity of any customer information at issue"); infra notes 57-60 and accompanying text.
14. See Kenneth A. Bamberger, Regulation as Delegation: Private Firms, Decisionmaking, and Accountability in the Administrative State, 56 DUKE L.J. 377, 404-08 (2006) (describing an accountability paradigm whereby traditional notions of static regulatory control are supplanted "by learning, dialogue, process, and accountability").
15. Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals, 37 L. & SOC. REV. 691, 692 & n.1 (2003).
16. Bamberger, supra note 13, at 380.
17. See Coglianese & Lazer, supra note 14, at 695 (asserting that a management-based approach is preferable to a traditional government-imposed regulatory standard because it "place[s] responsibility for decisionmaking with those who possess the most information about risks and potential control methods").
18. See 17 C.F.R. § 240.15c3-4(a) (2009) ("An OTC derivatives dealer shall establish, document, and maintain a system of internal risk management controls to assist it in managing the risks associated with its business activities, including market, credit, leverage, liquidity, legal, and operational risks.").
19. The Bank for International Settlements estimated the global market for OTC derivatives (subject to the regulation discussed above at note 10) at $683 trillion at the end of June 2008. BANK FOR INT'L SETTLEMENTS, OTC DERIVATIVES MARKET ACTIVITY IN THE FIRST HALF OF 2008, at 6 (2008), http://www.bis.org/publ/otc-hy0811.pdf. The federal regulations for this vast market explicitly require management to ensure that "information systems are available to capture, monitor, analyze, and report relevant data." 17 C.F.R. § 240.15c3-4(d)(3) (2009).
20. Lessons Learned in Risk Management Oversight at Federal Financial Regulators: Hearing Before the Subcomm. on Securities, Insurance, and Investment of the S. Comm. on Banking, Housing, and Urban Affairs, 111th Cong. 12 (2009) (statement of Roger T. Cole, Director, Division of Banking Supervision and Regulation, Board of Governors of the Federal Reserve System),conavailable at http://banking.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore- id=86367ccf-f7b1-4cd1-8ac0-8c8cd7d631b7.
21. Lori A. Richards, Dir., Office of Compliance Inspections and Examinations, U.S. Sec. & Exch. Comm'n, Compliance in Today's Environment: Step Up to the Challenge, Remarks Before the IA Compliance Best Practices Summit 2009 (Mar. 12, 2009) (transcript available at http://www. sec.gov/news/speech/ 2009/spch031209lar.htm).
22. See, e.g., Oracle Corp., Oracle Reveleus Basel II, http://www.oracle.com/ industries/financial-services/oracle-reveleus-basel-II.html (advertising an "advanced data management approach to provide a fully transparent 'ready to go' set of advanced analytical applications"); SunGard APT, RiskComply, http://www.apt.com/en/compliance/index.html (offering software that automates data collection, risk calculation, and reporting).
23. See IBM, Governance & Compliance, http://www.zurich.ibm.com/csc/ security/compliance.html (describing REALM as a "metamodel and method for modeling regulations and managing them" to support IBM's Unified Governance Framework).
24. DELOITTE LLP, GLOBAL RISK MANAGEMENT SURVEY: SIXTH EDITION: RISK MANAGEMENT IN THE SPOTLIGHT 30 (2009), http://www.deloitte.com/assets/Dcom- UnitedStates/Local%20Assets/Documents/us-fsi-GlobalRskMgmtSrvy-June09.pdf ("Effective risk management relies on a robust technology infrastructure.").
25. Sharyn Kohen, New Tech Boosts Compliance Tests, BANK TECH. NEWS, Oct. 2005, at 49, 49.
26. MICHAEL RASMUSSEN, CORPORATE INTEGRITY, 2008 GRC DRIVERS, TRENDS, & MARKET DIRECTIONS 11 (2008);
27. see also Michael Rasmussen, Who Is the Largest GRC Vendor?, Corporate Integrity Blog, http://corp-integrity.blogspot.com/2009/03/who-is-largest-grc- vendor.html (Mar. 24, 2009, 10:11 EST) (exploring further the dynamics of the GRC market).
28. See Binyamin Appelbaum & David Cho, Geithner to Propose Vast Expansion of U.S. Oversight of Financial System, WASH. POST, Mar. 26, 2009, at A1 ("The Obama administration's plan, described by several sources, would extend federal regulation for the first time to all trading in financial derivatives and to companies including large hedge funds and major insurers such as American International Group. The administration also will seek to impose uniform standards on all large financial firms, including banks, an unprecedented step that would place significant limits on the scope and risk of their activities.").
29. See Mary Hayes Weier, Comply or Die: GRC Software Ain't Sexy, but It Sure Sells, INFORMATIONWEEK, Apr. 7, 2008, at 28, 28 (noting the widespread adoption of GRC software and discussing specific examples of executive reporting and workflow management features).
30. See id. (describing use of GRC software for both security and compliance goals including fraud prevention, internal data integrity, auditing, and compliance reporting).
31. See infra section IV(C)(2).
32. Turmoil in the Financial Markets: Hearing on Financial Crisis and the Role of Federal Regulators Before the H. Comm. on Oversight and Government Reform, 110th Cong. 3 (2008) (statement of Dr. Alan Greenspan), available at http://oversight.house.gov/images/stories/documents/20081023100438.pdf.
33. See LAWRENCE LESSIG, CODE VERSION 2.0, at 5 (2006) ("[C]ode is law.").
34. Joel R. Reidenberg, Lex Informatica: The Formulation of Information Policy Rules Through Technology, 76 TEXAS L. REV. 553, 554 (1998) (noting that technological capabilities and system design choices provide sources of rule making).
35. See Hiroyuki Itami & Tsuyoshi Numagami, Dynamic Interaction Between Strategy and Technology, 13 STRATEGIC MGMT. J. 119, 129 (1992) (distinguishing technology from science and bureaucracy by describing technology as "a set of knowledge and beliefs on causal relations and thus a system of logic").
36. Nassim Taleb, The Jorion-Taleb Debate: Against VAR, DERIVATIVES STRATEGY, Apr. 1997, http://www.derivativesstrategy.com/magazine/archive/1997/0497fea2. asp.
37. Martin Heidegger, The Question Concerning Technology, in TECHNOLOGY AND VALUES: ESSENTIAL READINGS 99, 106-08 (Craig Hanks ed., 2010).
38. See Viral V. Acharya et al., The Financial Crisis of 2007-2009: Causes and Remedies, in RESTORING FINANCIAL STABILITY: HOW TO REPAIR A FAILED SYSTEM 1, 24-25 (Viral V. Acharya & Matthew Richardson eds., 2009) ("[T]he firm has no specific incentive to consider the spillover risk its own leverage and risk taking imposes on other financial institutions. This externality is further amplified when many of the financial firms face similar issues.").
39. See Appelbaum & Cho, supra note 26 (explaining that Geithner's plan will limit the risk taking at individual firms in order to avoid setting off cascading damage).
40. See EUGENE BARDACH & ROBERT A. KAGAN, GOING BY THE BOOK: THE PROBLEM OF REGULATORY UNREASONABLENESS 58-66 (discussing the difficulty of regulating among firms that have diverse manufacturing technologies and procedures, varied nonlegal incentives to comply with regulations, and disparate organizational and managerial capacities to ensure that compliance).
41. Bamberger, supra note 13, at 380.
42. See Edward L. Rubin, Images of Organizations and Consequences of Regulation, 6 THEORETICAL INQUIRIES L. 347, 386 (2005) (describing the assumption behind many incentivebased approaches to regulation that regulators impose counterproductive measures because they lack knowledge of particular firms' internal operations).
43. See, e.g., Lawyerlinks.com, Credit Crunch: Company Roll-Up, http://content.lawyerlinks.com/sec/Liability/credit-crunch/1-roll-up/ 2-companies.htm#Litigation (listing, and linking to materials from, dozens of securities and derivative suits brought against the "Credit Crunch" "Big Targets").
44. See, e.g., FED. RESERVE BANK OF N.Y., FINANCIAL TURMOIL TIMELINE 4-5 (2010), http://www.ny.frb.org/research/global-economy/Crisis-Timeline.pdf (chronicling the purchase of Bear Stearns by JP Morgan Chase, the bankruptcy of Lehman Brothers, the purchase of Merrill Lynch by Bank of America, the seizure and receivership of Washington Mutual, and the purchase of Wachovia by Wells Fargo).
45. See Niklas Luhmann, The Unity of the Legal System, in AUTOPOIETIC LAW: A NEW APPROACH TO LAW AND SOCIETY 12, 27 (Gunther Teubner ed., 1987) (observing that the legal system is a "normatively closed but cognitively open system" that must take into account the "normative expectations" of systems outside the law). For an account that emphasizes the demise of state-centered regulation.
46. see Philip G. Cerny, Embedding Global Financial Markets: Securitization and the Emerging Web of Governance, in PRIVATE ORGANIZATIONS IN GLOBAL POLITICS 59, 67-68 (Karsten Ronit & Volker Schneider eds., 2000).
47. See Orly Lobel, The Renew Deal: The Fall of Regulation and the Rise of Governance in Contemporary Legal Thought, 89 MINN. L. REV. 342, 342-50 (2004) (describing the recent shift from the traditional "New Deal" regulatory era to a "Renew Deal" governance paradigm in which government, industry, and society "share responsibility for achieving policy goals").
48. See, e.g., id. at 357-58 (describing arguments that the traditional regulatory state can no longer keep up with a society that is increasingly complex, unpredictable, and volatile).
49. See Coglianese & Lazer, supra note 14, at 696-700 (describing the use of managementbased regulation in the areas of food safety, industrial safety, and pollution prevention).
50. Id. at 695-96.
51. See IAN AYRES & JOHN BRAITHWAITE, RESPONSIVE REGULATION: TRANSCENDING THE DEREGULATION DEBATE 110-13 (1992) (describing the public and private benefits of an enforced self-regulation model, which takes advantage of the greater expertise and information of firm insiders).
52. See 15 U.S.C. § 7262(a) (2006) (requiring annual financial reports to include an internalcontrol report that states management responsibilities for internal-control schemes and an assessment of their effectiveness).
53. See, e.g., BYLAWS AND RULES, Auditing Standard No. 5, § A5 (Pub. Accounting Oversight Bd. 2007), available at http://www.pcaobus.org/Rules/Rules- of-the-Board/Auditing-Standard-5.pdf (defining "internal control over financial reporting" as a process designed by, or under the supervision of, the principal executives or financial officers of a company to provide reasonable assurance regarding the maintenance of adequate accounting records and the prevention of unauthorized acquisition, use, or disposition of the company's assets).
54. Procedure-based mandates, moreover, arise from a combination of public and private sources. The enterprise risk-management framework was developed by the private-sector Committee of Sponsoring Organizations of the Treadway Commission (COSO). COMM. OF SPONSORING ORGS. OF THE TREADWAY COMM'N, ENTERPRISE RISK MANAGEMENT-INTEGRATED FRAMEWORK, at v (2004), available at http://www.coso.org/documents/COSO-ERM-ExecutiveSummary.pdf [hereinafter COSO]. This framework, which has largely guided individual firms' compliance approach to Sarbanes-Oxley and other regulations mandating internal controls, provides important guidance regarding the required elements of a risk-management program and its auditing. The enumerated elements include appropriate risk assessment, institutional risk responses, and control activities.
55. Id. at 3-4.Nevertheless, the framework leaves much of the implementation detail open to context. The New York Stock Exchange listing standards require Board Audit Committees to "discuss guidelines and policies to govern the process" for risk assessment and risk management. NYSE, Listed Company Manual § 303A.07(c)(iii)(D) (2009).
56. Pub. L. No. 104-191, 110 Stat. 1936.
57. 45 C.F.R. § 164.306(a)(1) (2008).
58. Id. § 164.308(a)(1)(ii)(A).
59. Id. § 164.308(a)(1)(ii)(B).
60. Id. § 164.306(a)(4).
61. Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified at 15 U.S.C. §§ 6801-6827 (2006)).
62. 15 U.S.C. §§ 6801, 6805.
63. 16 C.F.R. § 314.3(a) (2009).
64. Paul M. Schwartz & Edward J. Janger, Notification of Data Security Breaches, 105 MICH. L. REV. 913, 920 (2007) (citing Interagency Guidelines Establishing Information Security Standards, 69 Fed. Reg. 77,620 (Dec. 28, 2004)).
65. S. 1490, 111th Cong. (2009) (as reported by the S. Comm. on the Judiciary, Nov. 5, 2009), available at http://www.govtrack.us/congress/bill.xpd? bill=s111-1490.
66. Id. § 302(a)(1)-(3).
67. See Interagency Guidelines Establishing Standards for Safety and Soundness, 12 C.F.R. pt. 364, app. A (2009) (listing the numerous operational and managerial standards every financial institution must develop and maintain).
68. Id. § II(A).
69. Id. § II(G).
70. See DIMITRIS N. CHORAFAS, OPERATIONAL RISK CONTROL WITH BASEL II 117 (2004) (noting that the capital requirements include market, operational, and credit risk exposures). The international Basel II Accord embodies recommendations on banking regulation developed by the Central Bank Governors of the Group of Ten nations through the Basel Committee on Banking Supervision. BASEL COMM. ON BANKING SUPERVISION, HISTORY OF THE BASEL COMMITTEE AND ITS MEMBERSHIP 1 (2009), http://www.bis.org/bcbs/history.pdf.
71. See BASEL COMM. ON BANKING SUPERVISION, INTERNATIONAL CONVERGENCE OF CAPITAL MEASUREMENT AND CAPITAL STANDARDS: A REVISED FRAMEWORK 1990 (2006) [hereinafter BASEL, A REVISED FRAMEWORK], available at http://www.bis.org/publ/ bcbs128b.pdf ("Where a bank has a VaR measure that incorporates specific risk and that meets all the qualitative and quantitative requirements for general risk models, it may base its [specific risk capital] charge on modeled estimates ⋯ .").
72. The final guidance issued after notice and comment on July 16, 2008 by the Federal Reserve Board, the FDIC, the OCC, and the Office of Thrift Supervision. It outlined the implementation of Basel II, for example, stating that in measuring credit risk, The bank should consider the various types of dependence among exposures, and the credit risk effects of extreme outcomes, stress events, and shocks to assumptions about portfolio and exposure behavior. The bank also should carefully assess concentrations in counterparty credit exposures, including those that result from trading in less liquid markets, and determine the effect that these exposures might have on capital adequacy. Supervisory Guidance: Supervisory Review Process of Capital Adequacy (Pillar 2) Related to the Implementation of the Basel II Advanced Capital Framework, 73 Fed. Reg. 44620, 44625 (July 31, 2008) (to be codified at 12 C.F.R. pts. 3, 208, 225, 325, 567). Similarly, any determination of market risk should consider a variety of factors: illiquidity of instruments, leverage, concentrated positions, one-way markets, nonlinear or deep out-of-the money option positions as well as embedded optionality, and the potential for significant shifts in correlations or other types of dependence structures. Assessments that incorporate extreme events, idiosyncratic variations, credit migrations or changes in credit spreads, defaults, and shocks should also be tailored to capture key portfolio vulnerabilities.
73. Id.
74. Susan Schmidt Bies, Governor, Fed. Reserve, An Update on Basel II Implementation in the United States, Remarks at the Global Association of Risk Professionals Basel II Summit (Feb. 26, 2007) (transcript available at http://www.federalreserve.gov/newsevents/speech/bies20070226a.htm).
75. See generally FED. FIN. INSTS. EXAMINATION COUNCIL, BANK SECRECY ACT/ANTIMONEY LAUNDERING EXAMINATION MANUAL (2007), available at http://www.ffiec.gov/bsa-aml-infobase/documents/BSA-AML-Man-2007.pdf (outlining procedures and guidance for bank officers in order to ensure adherence to the mentioned statutes and other regulations).
76. Investment Advisers Act Rule, 17 C.F.R. § 275.206(4)-6(a) (2009).
77. 17 C.F.R. § 240.15c3-4(a) (2009).
78. See supra note 26 and accompanying text.
79. See, e.g., STANDARD & POOR'S, REQUEST FOR COMMENT: ENTERPRISE RISK MANAGEMENT ANALYSIS FOR CREDIT RATINGS OF NONFINANCIAL COMPANIES (2007) (inviting industry comment on Standard & Poor's proposal to include risk-management analysis in the creditrating process).
80. See generally European Comm'n, Solvency II, http://ec.europa.eu/internal- market/insurance/solvency/index-en.htm (last updated Dec. 4, 2009) (providing links to drafts, discussions, and timetables for the project). The Solvency II regime has been called a "Basel for Insurance."
81. See KPMG LLP, STUDY INTO THE METHODOLOGIES TO ASSESS THE OVERALL FINANCIAL POSITION OF AN INSURANCE UNDERTAKING FROM THE PERSPECTIVE OF PRUDENTIAL SUPERVISION 16-17 (2002), http://intranet.icea.es/solvencia/ Documentos/KPMG%20solv%20final%20report-300402.pdf (concluding that it may be possible to tailor specific capital requirements for insurance companies).
82. Bamberger, supra note 13, at 392. For several examples of these sorts of regulation delegations to the regulated private party itself, see Coglianese & Lazer, supra note 14, at 696-700.
83. Bamberger, supra note 13, at 392; see also, e.g., Proxy Voting by Investment Advisers, 68 Fed. Reg. 6585, 6587 (Feb. 7, 2003) (codified at 17 C.F.R. pt. 275) ("We did not propose, and are not adopting, specific policies or procedures for advisers. Nor are we ⋯ providing a list of approved procedures. Investment advisers registered with us are so varied that a 'one-size-fits-all' approach is unworkable. By not mandating specific policies and procedures, we leave advisers the flexibility to craft policies and procedures suitable to their businesses ⋯ .").
84. Bamberger, supra note 13, at 381.
85. See, e.g., Timothy F. Malloy, Regulating by Incentives: Myths, Models, and Micromarkets, 80 TEXAS L. REV. 531, 531-32 (2002) ("Environmental regulation is all about using incentives to control behavior⋯ . Many regulators rely upon a 'black-box' model in developing and evaluating environmental regulatory incentives directed at businesses.").
86. See In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959, 967-68 (Del. Ch. 1996) ("[T]he business judgment rule is process oriented and informed by a deep respect for all good faith board decisions.").
87. See Bamberger, supra note 13, at 396-99 (discussing the challenges posed by the delegation of regulatory discretion).
88. see also Paul Seabright, Skill Versus Judgement and the Architecture of Organisations, 44 EUR. ECON. REV. 856, 857-59 (2000) (discussing the difficulty in codifying standards for, or even monitoring, the exercise of judgment).
89. Jerry L. Mashaw, Structuring a "Dense Complexity": Accountability and the Project of Administrative Law, ISSUES IN LEGAL SCHOLARSHIP, Mar. 2005, art. 4, at 5, http://www.bepress.com/cgi/viewcontent. cgi?article=1061&context=ils.
90. Bamberger, supra note 13, at 400.
91. Id. at 381.
92. Id. at 407.
93. See, e.g., Deloitte LLP, Finance, Risk & Regulation: Your Partner in the New Regime, http://www.deloitte.com/view/en-GB/uk/market-insights/finance- risk-and-regulation/index.htm ("The increasing volumes ⋯ of financial products traded is putting pressure on existing risk ⋯ .").
94. See, e.g., id. ("The increasing ⋯ complexity of financial products traded is putting pressure on existing risk ⋯ .").
95. See, e.g., CHRIS MCCLEAN & MICHAEL RASMUSSEN, FORRESTER WAVE: ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE PLATFORMS, Q4 2007, at 2 (2007) (noting the burdens placed on businesses by market demand, in particular, regulatory compliance, globally distributed business requirements, and multiple regulatory environments).
96. Donald Langevoort's 1985 exploration of the increasing role of information technology in financial investing flagged early on the implications for public policy.
97. See Donald C. Langevoort, Information Technology and the Structure of Securities Regulation, 98 HARV. L. REV. 747, 750 (1985) (proposing a regulatory agenda at a time that questions of "regulatory policy posed by technological advancement" were widely before the SEC, "at least in primitive form").
98. See, e.g., ERNST & YOUNG LLP, CORPORATE REGULATORY COMPLIANCE PRACTICES 29-30 (2005) (documenting the number of companies that use technology to track compliance and management, monitor compliance controls, and handle regulatory reporting).
99. See PRICEWATERHOUSECOOPERS LLP, INTELLIGENT RISK MANAGEMENT & COMPLIANCE COST REDUCTION 3 (2008) ("The last decade has seen an unprecedented increase in risk management spend[ing] ⋯ . The costs of the risk management and compliance functions themselves are only a fraction of the true cost of risk and compliance activities. The true cost of implementation of the compliance and risk activities in the front, middle, and back office processes is generally multiple times the cost of the risk management, audit and compliance departments themselves.").
100. See DELOITTE CTR. FOR BANKING SOLUTIONS, NAVIGATING THE COMPLIANCE LABYRINTH: THE CHALLENGE FOR BANKS 3 (2008), available at http://www. securitization.net/pdf/Deloitte/Compliance-17Jan08.pdf ("Compliance costs grew significantly faster than net income for financial institutions in our survey. While compliance spending as a percentage of net income for the financial institutions surveyed was 2.83% in 2002, by 2006 it had grown to 3.69%.").
101. see also PRICEWATERHOUSECOOPERS LLP, supra note 89, at 3 ("The functions that make up the risk management and compliance activities of firms have grown well beyond revenue and inflation rates ⋯ .").
102. DELOITTE CTR. FOR BANKING SOLUTIONS, supra note 90, at 3.
103. See MICHAEL G. SILVERMAN, COMPLIANCE MANAGEMENT FOR PUBLIC, PRIVATE, OR NONPROFIT ORGANIZATIONS 203 (2008) ("Each new law, regulation, or compliance mandate brings with it a new set of requirements in such areas as records management, data security, and privacy ⋯ .").
104. See id. at 212 (discussing the advantages of a "holistic, multidimensional approach to technology utilization" in compliance frameworks).
105. See, e.g., DELOITTE CTR. FOR BANKING SOLUTIONS, supra note 90, at 15 (discussing the belief of some executives that integrating separately conducted compliance and risk-management activities would reduce the costs of duplication and provide a better perspective on the operations of the enterprise).
106. See Suzanne Dickson, Compliance Automation: Software Tools Can Give Auditors More Insight into the Controls and Policies Their Organization Needs to Meet Regulatory Mandates, INTERNAL AUDITOR, Feb. 1, 2007, at 27, 27 ("With so many different regulations to consider across an entire enterprise, it is nearly impossible to correlate business requirements with regulations and policies without an automated tool set.").
107. The Growing Importance of Enterprise Risk Management, Posting of Kyle McNabb to Forrester Research Blog, http://blogs.forrester.com/information- management/2009/01/the-growingimp.html (Jan. 8, 2009, 11:57 EST).
108. Some companies spend upwards of 90% of their monitoring budgets on manual oversight. See SILVERMAN, supra note 92, at 143 (citing a 2006 report by the Securities Industry and Financial Markets Association showing that compliance staff was by far the largest cost item of a compliance program). Furthermore, the quality of such manual controls tends to decrease as workload increases.
109. See Anne M. Marchetti, Monitoring: The Behavioral Economics of Corporate Compliance with Law, 2002 COLUM. BUS. L. REV. 71, 93 (asserting that even professional auditors rely on simplifying cognitive heuristics that are less precise when they have oversized workloads).
110. See James Fanto, Anticipating the Unthinkable: The Adequacy of Risk Management in Finance and Environmental Studies, 44 WAKE FOREST L. REV. 731, 751-52 (2009) (discussing human limitations in risk management resulting from the complexity of potential risks).
111. See PAUL BOCIJ ET AL., BUSINESS INFORMATION SYSTEMS: TECHNOLOGY, DEVELOPMENT AND MANAGEMENT 36-59 (4th ed. 2008) (describing operational and management information systems and their respective business applications).
112. See generally id. (discussing the ways in which business decisionmaking processes are streamlined by management information systems).
113. See JAMES TAYLOR, SMART (ENOUGH) SYSTEMS: HOW TO DELIVER COMPETITIVE ADVANTAGE BY AUTOMATING HIDDEN DECISIONS 150 (2007) (explaining that decision trees effectively describe systems where multiple rules share initial conditions and where each rule produces only a single outcome).
114. James Grimmelmann, Note, Regulation by Software, 114 YALE L.J. 1719, 1734 (2005).
115. TAYLOR, supra note 101, at 112.
116. THOMAS H. DAVENPORT & JEANNE G. HARRIS, COMPETING ON ANALYTICS: THE NEW SCIENCE OF WINNING 7 (2007).
117. ANTHONY TARANTINO, GOVERNANCE, RISK, AND COMPLIANCE HANDBOOK: TECHNOLOGY, FINANCE, ENVIRONMENTAL, AND INTERNATIONAL GUIDANCE BEST PRACTICES 217 (2008) (describing how these risk analysis techniques permit discovery of phenomena that are "likely to be genuine" rather than "merely chance occurrences").
118. DAVENPORT & HARRIS, supra note 104, at 150.
119. Id. at 155.
120. Id. at 156. The Act also requires testimony that "the data provides a clear picture of the business, major trends, risks, and opportunities." Id.; see also TAYLOR, supra note 101, at 31 (discussing the role of systems in satisfying requirements that regulated parties not only comply with regulations but also demonstrate that compliance).
121. See Shazia Sadiq et al., Modeling Control Objectives for Business Process Compliance, in BUSINESS PROCESS MANAGEMENT 149, 149-50 (Gustavo Alonso et al. eds., 2007) (listing major compliance-system vendors).
122. See Fred Caldwell et al., Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms (Gartner RAS Core Research Note G00169604, Aug. 12, 2009), available at http://mediaproducts.gartner.com/reprints/oracle/article92/ article92.html (identifying primary thirdparty vendors of GRC products and evaluating them on "completeness of vision" and "ability to execute" criteria).
123. MCCLEAN & RASMUSSEN, supra note 86, at 16-22 (making a similar evaluation of vendors based on "strategy," "current offering," and "market presence" criteria).
124. SAP AG, SAP for Oil and Gas: Regulatory Compliance, http://www.sap.com/ industries/oil-gas/large/compliance.epx.
125. SAP AG, SAP for Consumer Products: Regulatory Compliance, http://www.sap.com/industries/consumer/large/compliance.epx.
126. Press Release, Clearwater Analytics LLC, Clearwater Analytics Automates Reporting and Disclosure Requirements to Facilitate Compliance with FAS 157 (Feb. 12, 2009), available at https://www.clearwateranalytics.com/Resources/ news-events/pressreleases/fas-157-press-release.asp
127. Press Release, SAP AG, SAP and Technidata Provide First Integrated Reach Solution to Help Chemical Company Comply with New EU Regulations: New Functionality Broadens SAP's Suite of Compliance Solutions and Expands Environment, Health and Safety Offering to Reduce Chemical Industry Reporting Costs (Mar. 15, 2007), available at http://www.sap.com/usa/industries/chemicals/ large/newsevents/press.epx?pressid=7435.
128. See, e.g., Press Release, Thomson Reuters Corps., Thomson Reuters Introduces Industry's First Integrated GRC Workflow and Regulatory Content Solution (June 16, 2009), available at http://thomsonreuters.com/content/press- room/tlr-taxacct/445723 (announcing an integrated GRC software application and noting that the software will allow companies to take a holistic GRC management approach);
129. Hannah Smalltree, SAP and Novell Team Up to Integrate GRC Software with IT Infrastructure, SAP SOFTWARE/MGMT. NEWS, Oct. 15, 2009, http://searchsap. techtarget.com/news/article/0,289142,sid21-gci1371421,00.html (noting that SAP's and Novell's integrated software enables companies to approach GRC more holistically).
130. This type of risk is illustrated most dramatically by the events resulting in $1.5 billion of corporate losses and the 1995 bankruptcy of Barings PLC as a result of the actions of a single rogue trader operating outside of the firm's risk-tolerance measures.
131. Thomas J. Fitzpatrick, IV & Chris Sagers, Faith-Based Financial Regulation: A Primer on Oversight of Credit Rating Organizations, 61 ADMIN. L. REV. 557, 572 n.53 (2009);
132. see also Kimberly D. Krawiec, The Return of the Rogue, 51 ARIZ. L. REV. 127, 159 n.147 (2009) (describing how losses created by a trader's unauthorized risky trading led to Barings PLC's bankruptcy). In a similar incident in 2008, it was discovered that an allegedly rogue trader at Société Générale made $73 billion in unauthorized trades and ultimately lost the bank over $7 billion.
133. Courtney Comstock, The Adventures of Jerome Kerviel, FORBES.COM, Sept. 2, 2009, http://www.forbes.com/2009/09/02/jerome-kerviel-fraud-societegenerale- markets-faces-legal.html.
134. See, e.g., Press Release, SAP AG, SAP Collaborates with GRC Partner Community to Help Customers to Prepare for Standard & Poor's New Enterprise Risk Management Evaluations (Aug. 12, 2008), available at http://www.sap.com/ about/newsroom/businessobjects/20080815.epx (announcing that SAP and its partners developed industry-specific risk catalogs for use with SAP's GRC Risk Management application).
135. Oracle Corp., supra note 21.
136. SunGard APT, supra note 21.
137. See Innovations Software Tech., Customers, http://www.innovations- software.com/customers.html.
138. INNOVATIONS SOFTWARE TECH., CREDIT RISK RATING MODELS VISUALLY IMPLEMENTED 1 (2008), http://www.innovations-software.com/fileadmin/pdf-en/ success-story/credit-risk-rating-DGHYP.pdf.
139. See Archer Tech., GRC Solutions for Retail, http://www.archer.com/ solutions/industry/retail.html
140. See, e.g., Compliance 360, Solutions: Compliance Management, http://www.compliance360.com/solutions-compliance-management.asp
141. See, e.g., Oracle Corp., GRC Technology Controls, http://www.oracle.com/ solutions/corporate-governance/grc-technology-controls.html
142. See, e.g., SAP AG, SAP BusinessObjects Access Control: Efficiently Control Access and Prevent Fraud, http://www.sap.com/solutions/ sapbusinessobjects/large/governance-risk-compliance/accessandauthorization/ index.epx
143. See MCCLEAN & RASMUSSEN, supra note 86, at 3 (asserting that GRC platforms will evolve and begin to incorporate business-logic and business-rules engines).
144. see also, e.g., Fair Isaac Corp., FICO Blaze Advisor Business Rules Management, http://www.fico.com/en/Products/DMTools/Pages/FICO-Blaze-Advisor- System.aspx
145. See, e.g., Salem Assocs. Inc., Lending Automation Processing System (LAPS), http://www.salemassociates.com/salemwebsite/laps.htm (providing an example of a loanorigination system that automates applicant evaluations and decisionmaking).
146. See, e.g., France's Banque Populaire Group Uses Fair Isaac Rules Management Technology to Help Drive Basel II Compliance, BUSINESSWIRE, Mar. 31, 2004, http://www.allbusiness.com/banking-finance/banking-lending-credit- services/5587320-1.html
147. E.g., 16 C.F.R. § 314.4 (2009) ("In order to develop, implement, and maintain your information security program you shall: ⋯ (c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.").
148. See COSO, supra note 49, at 3-4 (indicating that the COSO framework includes components of risk-response and risk-management-system monitoring);
149. id. at 6 (indicating that several levels of management play key roles within the COSO framework).
150. U.S. SENTENCING GUIDELINES MANUAL § 8B2.1(b)(2)(B), (b)(5)(A) (2009).
151. See In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996) (holding that corporate boards have an "obligation to be reasonably informed").
152. id. ("[A] director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists ⋯ .").
153. See Scott Leibs, One for Three: Should Governance, Risk Management, and Compliance Be Tackled as One Problem, or Is This a Classic Case of Scope Creep?, CFO MAGAZINE, Sept. 1, 2007, available at http://www.cfo.com/article.cfm/ 9689509/1/c-2984409?f=archives
154. see also Brian Klemm, The Genius of Compliance Technology, CORP. COMPLIANCE INSIGHTS, Feb. 3, 2009, http://www.corporatecomplianceinsights.com/ 2009/genius-of-compliance-technology ("In order to effectively prevent problems and manage risks, compliance professionals are implementing controls and measuring and monitoring them with metrics to evaluate how well such controls are performing.").
155. TARANTINO, supra note 105, at 309.
156. See HUGH TAYLOR, THE JOY OF SOX 227-28, 236 (2006) (enumerating the Sarbanes-Oxley compliance-package software options that vendors offer, including exception-monitoring software that can monitor multiple sources of information at the same time and correlate the data to better detect problems or internal control failures);
157. see also IBM Corp., Workplace for Business Controls and Reporting, http://www-01.ibm.com/software/lotus/products/business-controlsreporting;
158. SAP AG, SAP BusinessObjects Process Control: Drive Confidence Through Continuous Control Monitoring, http://www.sap.com/solutions/sapbusinessobjects/ large/governance-riskcompliance/grcprocesscontrol/index.epx (both exemplifying this kind of software).
159. See, e.g., BWise, Inc., Loss & Incidents Database, http://www.bwise.com/solutionsservices/solution-components/loss-incidents- database; IBM Corp., supra note 135; Oracle Corp., Integrated Financial and Compliance Analytics, http://www.oracle.com/solutions/corporate-governance/ integrated-financial-and-compliance-analytics.html; SAP AG, supra note 125 (all providing this kind of functionality).
160. Riva D. Atlas & Jonathan D. Glater, Mystery at Refco: How Could Such a Huge Debt Stay Hidden?, N.Y. TIMES, Oct. 24, 2005, at C1.
161. Id.
162. Id.
163. Gretchen Morgenson & Jenny Anderson, Insiders Collected $1 Billion Before Refco Collapse, N.Y. TIMES, Oct. 20, 2005, at C1.
164. See Klemm, supra note 133 ("Technology can enhance visibility into an organization's risk landscape-including strategic, operational, reporting, compliance, market, credit and technology related risks ⋯ .").
165. See RICHARD H. HALL, ORGANIZATIONS: STRUCTURES, PROCESSES, AND OUTCOMES 169 (8th ed. 2002) ("If the total rationale for all actions were known to all members, the potential for chaos would be high, since communication overload would quickly occur.").
166. See John C. Coffee, Jr., Beyond the Shut-Eyed Sentry: Toward a Theoretical View of Corporate Misconduct and an Effective Legal Response, 63 VA. L. REV. 1099, 1137-39 (1977) (discussing the "problems associated with the upward transmission of adverse information within the corporate hierarchy").
167. Kirsten Foss & Nicolai J. Foss, Authority in the Context of Distributed Knowledge 8-9 (Danish Research Unit for Indus. Dynamics, Working Paper No. 03-08, 2002), available at http://www3.druid.dk/wp/20030008.pdf;
168. see Nicolai J. Foss, Firms and the Coordination of Knowledge: Some Austrian Insights 24-27 (Danish Research Unit for Indus. Dynamics, Working Paper No. 98-19, 1998), available at http://www3.druid.dk/wp/19980019.pdf (discussing tacit forms of knowledge and how they relate to business planning);
169. see also MICHAEL POLANYI, THE TACIT DIMENSION 4-20 (Anchor Books 1967) (1966) (describing psychological experiments and various aspects of tacit knowledge).
170. See Coffee, supra note 143, at 1135-36 (explaining the theory of "subgoal pursuit," which is that "given an opportunity to exercise discretion, managers at lower levels within a firm will tend to act not to maximize the firm's welfare, but rather the interests and autonomy of their own unit or division").
171. Id. at 1139.
172. See Donald C. Langevoort, Organized Illusions: A Behavioral Theory of Why Corporations Mislead Stock Market Investors (And Cause Other Social Harms), 146 U. PA. L. REV. 101, 135-39 (1997) (noting the common norm in business to only communicate information upward that is significant and unusual as one reason why cognitive conservatism and decision simplification limit the communication of risk).
173. See supra notes 135-36 and accompanying text.
174. See IBM Corp., supra note 135 ("Role based dashboards provide visual views of risk and control environment status.");
175. SAP AG, supra note 125 ("You can gain continuous visibility across compliance initiatives via accountability and standardization of processes, together with comprehensive reports and dashboards to monitor effectiveness across systems.").
176. See, e.g., Kenneth A. Froot et al., Risk Management: Coordinating Corporate Investment and Financing Policies, 48 J. FIN. 1629, 1629 (1993) (noting that financial executives consider risk management one of their primary objectives);
177. Ellen S. Pryor, The Economic Loss Rule and Liability Insurance, 48 ARIZ. L. REV. 905, 911-12 (2006) (acknowledging the prominent role and relevance of risk allocation for insurers seeking to limit their economic losses).
178. See generally Steve Hamm, IBM Roars into Business Consulting, BUS. WK., Apr. 15, 2009, at 10, 10 (discussing a test system developed by IBM and run on one of its Blue Gene supercomputers permitting financial-services company TD Securities Inc. to analyze options-trading data in real time and make adjustments in microseconds).
179. See PETER G. NORTHOUSE, LEADERSHIP: THEORY AND PRACTICE 185 (4th ed. 2006) (defining management by exception as "leadership that involves corrective criticism, negative feedback, and negative reinforcement").
180. See, e.g., David McCann, Internal Audit Automation Set for Takeoff?, CFO.COM, Oct. 22, 2008, http://www.cfo.com/article.cfm/12459877 (describing efficient new GRC software that provides a continuous view of risk and generates timely alerts when exceptions are noted).
181. See Bamberger, supra note 13, at 383-84 (observing that private firms with regulatory discretion suffer from accountability problems and irrational decisionmaking).
182. See David Hirshleifer & Siew Hong Teoh, Limited Attention, Information Disclosure, and Financial Reporting, 36 J. ACCT. & ECON. 337, 341-44 (2003) (reviewing the theory and evidence on limited attention and information processing).
183. See HERBERT A. SIMON, ADMINISTRATIVE BEHAVIOR, at xxix (3d ed. 1976) (remarking that humans consider only a few possible courses of action and choose to settle for a solution that is adequate rather than "maximizing").
184. See RICHARD M. CYERT & JAMES G. MARCH, A BEHAVIORAL THEORY OF THE FIRM 113 (1963) ("These rules are the focus for control within the firm; they are the result of a long-run adaptive process by which the firm learns; they are the short-run focus for decision making within the organization.") .
185. See id. (arguing that organizations use "rules of thumb" to make and implement choices and that these procedures dominate the decisions made in the short run).
186. JAMES G. MARCH ET AL., THE DYNAMICS OF RULES 186 (2000).
187. JAMES G. MARCH, EXPLORATIONS IN ORGANIZATIONS 67 (2008).
188. See generally Amos Tversky & Daniel Kahneman, Judgment Under Uncertainty: Heuristics and Biases, in JUDGMENT UNDER UNCERTAINTY: HEURISTICS AND BIASES 3, 11-14 (Daniel Kahneman et al. eds., 1982) (discussing the tendency to assess the "frequency of a class or the probability of the event by the ease with which instances or occurrences can be brought to mind").
189. See, e.g., DAN MAYER, ESSENTIAL EVIDENCE-BASED MEDICINE 193-94 (2004) (describing doctors' tendency, due to the availability heuristic, to look for similar causes of recently treated symptoms, thereby overlooking other causes).
190. For discussion of "commitment" or "confirmation" biases, see generally Jürgen Beckmann & Julius Kuhl, Altering Information to Gain Action Control: Functional Aspects of Human Information Processing in Decision Making, 18 J. RES. PERSONALITY 224 (1984), discussing findings that individuals make use of selective changes in information processing depending on personal goals;
191. Hillel J. Einhorn & Robin M. Hogarth, Confidence in Judgment: Persistence of the Illusion of Validity, 85 PSYCHOL. REV. 395 (1978), explaining the persistence of individuals' overconfidence in judgment through learning models;
192. Jonathan St. B.T. Evans, Beliefs and Expectations as Causes of Judgmental Bias, in JUDGMENTAL FORECASTING 31, 33 (George Wright & Peter Ayton eds., 1987), describing confirmation bias as the theory "that people's thinking is channel[]ed and biased by prior beliefs and expectations which inhibit logical reasoning";
193. Barry M. Staw, The Escalation of Commitment to a Course of Action, 6 ACAD. MGMT. REV. 577 (1981), exploring the observed tendency to escalate commitment in the face of losses. For discussions of predecisional distortions of information,
194. see generally Aaron L. Brownstein, Biased Predecision Processing, 129 PSYCHOL. BULL. 545 (2003), presenting a review of evidence surrounding biased predecision processing across various models of decisionmaking and J. Edward Russo et al., The Distortion of Information During Decisions, 66 ORGANIZATIONAL BEHAV. & HUM. DECISION PROCESSES 102, 105-07 (1996), reporting findings of predecision distortions.
195. Diane Vaughan, The Dark Side of Organizations: Mistake, Misconduct, and Disaster, 25 ANN. REV. SOC. 271, 280-81 (1999).
196. See Langevoort, supra note 147, at 107 (discussing the effect of biased information processing on firm-management behavior).
197. See id. at 144 ("The notion of self-serving inference is another fundamental construct in social cognition."). For other discussions of self-serving bias,
198. see Linda Babcock & George Loewenstein, Explaining Bargaining Impasse: The Role of Self-Serving Biases, 11 J. ECON. PERSP. 109, 110-17 (1997), providing empirical support of the self-serving bias;
199. Christine Jolls et al., A Behavioral Approach to Law and Economics, 50 STAN. L. REV. 1471, 1501-04 (1998), reviewing literature surrounding the effect of self-serving biases on conceptions of fairness;
200. Jeffrey J. Rachlinski, The Uncertain Psychological Case for Paternalism, 97 NW. U. L. REV. 1165, 1172-73 (2003), offering a brief review and categorization of types of self-serving biases.
201. Langevoort, supra note 147, at 144.
202. Id. at 141.
203. Id. at 106.
204. See Bonnie Ray et al., Harnessing Uncertainty: The Future of Risk Analytics 7-10 (IBM Research Report RC24534, 2008), available at http://domino.research.ibm.com/library/cyberdig.nsf/papers/ B910FD442135744585257434005349F4/$File/rc24534.pdf (outlining the potential of risk-modeling tools to determine "risk events" and their possible impacts).
205. See Carla O'Dell & C. Jackson Grayson, If Only We Knew What We Know: Identification and Transfer of Internal Best Practices, 40 CAL. MGMT. REV. 154, 157 (1998) (contrasting internal benchmarking with "[o]rganizational structures that promote 'silo' behavior").
206. See C. Marlene Fiol & Edward J. O'Connor, Waking Up! Mindfulness in the Face of Bandwagons, 28 ACAD. MGMT. REV. 54, 59 (2003) ("Mindful scanning entails an expanded data search that extends beyond data relevant to past events and past behaviors, or what others are doing, and that leads to new, pertinent distinctions and categories.").
207. Id. at 63.
208. See Karl E. Weick et al., Organizing for High Reliability: Processes of Collective Mindfulness, 21 RES. ORGANIZATIONAL BEHAV. 81, 92 (1999) (discussing how mindful organizations treat local failures as signs of a more general, system-wide problem).
209. See supra notes 1-8 and accompanying text.
210. See supra note 6.
211. See Nocera, supra note 1, at 27 (recounting Goldman's decision to start minimizing risk in early 2007 in response to a ten-day decline in mortgage revenue, which risk models had identified as a possible indicator of an impending market slump).
212. See supra note 2.
213. Information disclosure is a central feature of many regulatory regimes, notably those governing financial and environmental matters, and is geared toward fostering market or political accountability through the dissemination of accurate information that would otherwise remain hidden within firms.
214. See generally Cass R. Sunstein, Informational Regulation and Informational Standing: Akins and Beyond, 147 U. PA. L. REV. 613, 618-25 (1999) (discussing those compelled disclosures that are meant to affect market responses and those meant to affect political responses).
215. 15 U.S.C. § 78m (2006).
216. See 17 C.F.R. § 240.13a-11 (2009) (requiring registrants to file a current report on Form 8-K within the time period specified on that form); SEC, FORM 8-K §§ 1-6, available at http://www.sec.gov/about/forms/form8-k. pdf (specifying triggering events-bankruptcy, disposition of a significant amount of assets, and material impairments-that require registrants, in most cases, to file Form 8-K within four business days of the events).
217. See 31 C.F.R. § 103.18 (2009) (detailing the characteristics of transactions that would require an entity to file a Suspicious Activity Report).
218. See LESSIG, supra note 31, at 5 ("[Cyberspace] compels us to look beyond the traditional lawyer's scope-beyond laws, regulations, and norms. It requires ⋯ the recognition of a newly salient regulator.");
219. see also LAWRENCE LESSIG, CODE AND OTHER LAWS OF CYBERSPACE 5 (1999) ("Cybernetics had a vision of perfect regulation. Its very motivation was finding a better way to direct.").
220. Reidenberg, supra note 31, at 554-55.
221. Grimmelmann, supra note 102, at 1732.
222. LESSIG, supra note 31, at 324.
223. See Jerry L. Mashaw & David L. Harfst, Regulation and Legal Culture: The Case of Motor Vehicle Safety, 4 YALE J. ON REG. 257, 293-95 (1987) (discussing the concept of technology forcing);
224. Thomas O. McGarity, Radical Technology-Forcing in Environmental Regulation, 27 LOY. L.A. L. REV. 943, 956-58 (1994) (arguing that technology forcing is, in many contexts, preferable to quality-based and technology-based approaches to environmental pollution problems);
225. Russell V. Randle, Forcing Technology: The Clean Air Act Experience, 88 YALE L.J. 1713, 1718-27 (1979) (citing the copper-smelting industry and the electric-power industry as examples of technology forcing being used to combat pollution);
226. Richard B. Stewart, Regulation, Innovation, and Administrative Law: A Conceptual Framework, 69 CAL. L. REV. 1256, 1267 (1981) (mentioning the benefits of technology forcing in furthering the development and adoption of technology);
227. see also Gideon Parchomovsky & Alex Stein, Torts and Innovation, 107 MICH. L. REV. 285, 287-90 (2008) (pointing out that, in tort law, defendants can often be found negligent for adopting unconventional technology and examining the difficulties that this standard poses for R&D).
228. See McGarity, supra note 187, at 945-47 (highlighting the EPA's regulation of Mirex as an example of technology forcing succeeding in introducing new products to the market).
229. See Randle, supra note 187, at 1717-18 (commenting on the EPA's standard-review powers under the Clean Air Act as a way to ensure that private companies continue to adopt control-technology improvements).
230. See, e.g., FED. RESERVE SYS., TRADING AND CAPITAL MARKETS ACTIVITIES MANUAL § 2040.1, at 1 (2003), available at http://www.federalreserve.gov/ boarddocs/supmanual/trading/trading.pdf ("To manage their risk-management process in the current financial and technological environment, financial institutions are more readily prepared to incorporate the latest communications systems and database management techniques. In addition, new financial concepts are rapidly becoming standard practice in the industry, made possible by powerful computing tools and communications systems.");
231. FED. RESERVE SYS., DIV. OF BANKING SUPERVISION & REGULATION, LETTER SR 00-3, INFORMATION TECHNOLOGY EXAMINATION FREQUENCY 1 (2000), available at http://www.federalreserve.gov/boarddocs/srletters/2000/SR0003.htm ("Banking organizations increasingly rely on information technology to conduct their operations and manage risks.");
232. OFFICE OF THE COMPTROLLER OF THE CURRENCY, BULLETIN NO. 98-3, TECHNOLOGY RISK MANAGEMENT 4 (1998), available at http://www.ffiec.gov/ffiecinfobase/ resources/info-sec/occ-bu98-3-technology-risk-management.pdf ("Today, technology has moved 'out front' into virtually all aspects of banking. Technology is a key aspect of many bank business decisions and many new bank products are reliant on new technologies. Uses of technology are integral to bank operations and have been a primary force in creating new competitive opportunities for banks.");
233. FED. FIN. INST. EXAMINATION COUNCIL, IT EXAMINATION HANDBOOK 1 (2004), available at http://www.ffiec.gov/ffiecinfobase/booklets/operations/operation. pdf ("As the complexity of technology has grown, the financial services industry has increased its reliance on vendors, partners, and other third parties for a variety of technology solutions and services. Institutions will frequently operate or manage various IT resources from these third-party locations.");
234. U.S. DEPT. OF TREASURY, OFFICE OF THRIFT SUPERVISION, EXAMINATION HANDBOOK § 341.1 (2008), available at http://files.ots.treas.gov/422120.pdf ("Even the most traditional, conservative associations have embraced technology.").
235. These exceptions, such as certain activities of the Federal Trade Commission and the Food and Drug Administration, discussed in Part V as models for innovation, occur largely outside the financial-regulation context.
236. COSO, supra note 49.
237. See infra notes 265-88 and accompanying text.
238. See, e.g., 17 C.F.R. § 229.305(a)(iii)(A) (2009) (requiring "[q]uantitative and qualitative disclosures about market risk" in standard SEC filings).
239. See Andrew Farrell, Fed Gov Bies Quits, FORBES.COM, Feb. 9, 2007, http://www.forbes.com/2007/02/09/susan-bies-fed-face-cx-af-0209autofacescan04. html ("Bies had recently voiced frustration at the slow progress [in implementing Basel II in the United States].").
240. Susan Schmidt Bies, Governor, Fed. Reserve, Enterprise Risk Management and Mortgage Lending, Remarks at the National Credit Union Administration 2007 Risk Management Summit (Jan. 11, 2007) (transcript available at http://www.federalreserve.gov/newsevents/speech/bies20070111a.htm).
241. Richards, supra note 20.
242. See Akira Tsuchiya, Toward Effective eGovernment Implementation: Examining Characteristics of U.S. Internet Users, GEO. PUB. POL'Y REV., Fall 2004, at 41, 43 (stating that imperfectechnologies work as "effective and efficient managerial tools which accumulate, store, organize, and manage information").
243. See Patrick Feng, Rethinking Technology, Revitalizing Ethics: Overcoming Barriers to Ethical Design, 6 SCI. & ENGINEERING ETHICS 207, 211-12 (2000) (explaining that scholars in the field of Science and Technology Studies argue that "technology both shapes and is shaped by its social context" (emphasis omitted));
244. Batya Friedman & Helen Nissenbaum, Bias in Computer Systems, 14 ACM TRANSACTIONS ON INFO. SYS. 330, 333 (1996) (introducing a framework for analyzing system bias that the authors developed by examining seventeen systems from various fields).
245. See Feng, supra note 199, at 210 (debunking the myth that technology is value-neutral, in part by offering Internet filtering programs as an example-"the fact that [such] programs censor some web sites but not others suggests that values can literally be embedded in the design of these technologies").
246. See Friedman & Nissenbaum, supra note 199, at 333-34 (noting that whereas "[p]reexisting biases may originate in society ⋯ and in formal or informal, private or public organizations and institutions," technical biases "arise[] from technical constraints or technical considerations").
247. Id. at 333.
248. See id. at 335 (listing sources of technical bias that exist in the design process).
249. See Danielle Keats Citron, Technological Due Process, 85 WASH. U. L.R. 1249, 1261-62 (2008) (indicating that policy distortions can arise when code writers-who lack "policy knowledge" and may themselves be biased-translate policy from human language to computer code).
250. See Tobias Scheytt et al., Organizations, Risk and Regulation, 43 J. MGMT. STUD. 1331, 1333 (2006) ("[D]eeply rooted ideas about the ways in which risk is 'normally' handled ⋯ inform the organization of cognition by accounting and information systems." (quoting KARL E. WEICK, SENSEMAKING IN ORGANIZATIONS 102 (1995))).
251. See generally THEODORE M. PORTER, TRUST IN NUMBERS: THE PURSUIT OF OBJECTIVITY IN SCIENCE AND PUBLIC LIFE 29 (1995) (discussing the role of quantification in standardizing and reflecting a community's means of understanding knowledge);
252. Bruce G. Carruthers & Wendy Nelson Espeland, Accounting for Rationality: Double-Entry Bookkeeping and the Rhetoric of Economic Rationality, 97 AM. J. SOCIOLOGY 31 (1991) (discussing the accounting field's standardization of understandings regarding measurement). 206.
253. See Claudio Ciborra, Imbrication of Representations: Risk and Digital Technologies, 43 J. MGMT. STUD. 1339, 1345-47 (2006) (concluding that managerial practice often diverges from system predictions due to the latter's reliance upon "purely technical perspectives, such as that of the 'unbiased' decision maker").
254. See Citron, supra note 204, at 1261 (hypothesizing that because artificial languages employ a more limited vocabulary than human languages, they "are unable to capture the nuances of a particular policy").
255. See Vincy Fon & Francisco Parisi, On the Optimal Specificity of Legal Rules, 3 J. INSTITUTIONAL ECON. 147, 147 (presenting a model of optimal specificity of laws that predicts the use of standards instead of rules in areas undergoing rapid change).
256. Ciborra, supra note 206, at 1346.
257. See TAYLOR, supra note 101, at 31 ("If more of your decisions are embedded in your information systems, however, you risk pushing the enforcement of these rules onto programmers who don't understand them, not onto businesspeople who do.").
258. See Citron, supra note 204, at 1261 ("Information technology consultants cannot be expected to have specialized expertise in regulatory or public benefits programs."). The "experts" may not even possess uniform expertise of their own. As one commentator has noted, "To put it bluntly, you can't be a quant if you can't code ⋯ . To put it blunter, you would be hard-pressed to find a finance academic who can code ⋯ ." PABLO TRIANA, LECTURING BIRDS ON FLYING: CAN MATHEMATICAL THEORIES DESTROY THE FINANCIAL MARKETS? 68 (2009).
259. Friedman & Nissenbaum, supra note 199, at 334.
260. See Jay P. Kesan & Rajiv C. Shah, Deconstructing Code, 6 YALE J.L. & TECH. 277, 283 (2004) ("[Science & Technology Studies] examines how technology is shaped by societal factors such as politics, institutions, economics, and social structures.").
261. See Hamm, supra note 151, at 10 ("IBM built a test system for financial-services company TD Securities that lets it analyze options trading data in real time and make adjustments in microseconds. The system, run by IBM on one of its Blue Gene supercomputers, improved the performance of the trading system by a factor of 20.").
262. Press Release, Argonne Nat'l Lab., Argonne's Supercomputer Named World's Fastest for Open Science, Third Overall (June 18, 2008), available at http://www.alcf.anl.gov/news/media-files/alcf-top500release-0608.pdf.
263. See, e.g., Fon & Parisi, supra note 208, at 149 ("The lack of a perfect fit between the ex ante legal rule and the circumstances of individual cases may create social losses. From an efficiency perspective, standards allow ad hoc custom-tailoring of the law to the circumstances ofthe case at bar, reducing problems of over-inclusion and under-inclusion.");
264. see also John Braithwaite, Rules and Principles: A Theory of Legal Certainty, 27 AUSTL. J. LEGAL PHIL. 47, 60-75 (2002) (showing, based on a comparative study of the regulation of nursing homes in the United States and Australia, how a regulatory regime based on the proliferation of detailed rules creates an unwieldy, confusing body of rules and exceptions, leading to uncertain and inconsistent applications).
265. John H. Walsh, Assoc. Dir.-Chief Counsel, Office of Compliance Inspections & Examinations of U.S. Sec. & Exch. Comm'n, Remarks Before the NRS 21st Annual Spring Compliance Conference (April 18, 2006) (transcript available at http://www.sec.gov/news/speech/2006/spch041806jhw.htm).
266. Id.
267. Harry Surden et al., Representational Complexity in Law, 11 INT'L CONF. ON ARTIFICIAL INTELLIGENCE & L. 193, 193 (2007).
268. Id. at 194;
269. see also Roger Brownsword, So What Does the World Need Now? Reflections on Regulating Technologies, in REGULATING TECHNOLOGIES: LEGAL FUTURES, REGULATORY FRAMES AND TECHNOLOGICAL FIXES 23, 44 (Roger Brownsword & Karen Yeung eds., 2008) ("[F]or whatever traditional legal rules might mean on paper, there is often a practice around the rule that is quite different.").
270. See Helen Nissenbaum, Accountability in a Computerized Society, in HUMAN VALUES AND THE DESIGN OF COMPUTER TECHNOLOGY 41 (Batya Friedman ed., 1997) (discussing the ways in which the "problem of many hands" erodes accountability in computerized societies);
271. see also Claudio U. Ciborra, De Profundis? Deconstructing the Concept of Strategic Alignment, 9 SCANDINAVIAN J. INFO. SYS. 67, 77 (1997) ("[O]ne can take for granted that management can in various degree harness IT infrastructure to achieve business goals ⋯ . However, a closer look at the internal dynamics of IT infrastructure would show that: many actors are involved in its establishment or development, so that it is not controlled by only one actor.").
272. ANTHONY GIDDENS, CONSEQUENCES OF MODERNITY 131-34 (1991) (detailing the "risk profile" of modernity).
273. See, e.g., Grimmelmann, supra note 102, at 1730-31 (quoting FREDERICK P. BROOKS, JR., The Tar Pit, in THE MYTHICAL MAN-MONTH 3, 7 (anniversary ed. 1995) (1975) ("Few media of creation are so flexible, so easy to polish and rework, so readily capable of realizing grand conceptual structures.")).
274. Langdon Winner, Do Artifacts Have Politics?, in ENVIRONMENTALISM: CRITICAL CONCEPTS 141, 149 (David Pepper et al. eds., 2003).
275. Ciborra, supra note 221, at 76; see id. at 76-77 (arguing that while people initially create technological infrastructures to serve their particular needs, ultimately this very infrastructure has as great of an influence in shaping human behavior as the humans had in shaping it).
276. Winner, supra note 224, at 149.
277. See Grimmelmann, supra note 102, at 1732 ("That programmers have such flexibility does not necessarily mean that users do⋯ . When users are powerless over software, it is often because programmers have made design decisions that leave users without power. Indeed, this imbalance is part of the effectiveness of regulation by software.").
278. See TAYLOR, supra note 101, at 33 ("Different programmers might have coded layer after layer of policies and other types of rules in various ways. Some companies have tens of thousands of rules coded into their systems ⋯ .").
279. Chris Preimesberger, Wall Street's 'Colossal' Risk Management Failure, EWEEK, Sept. 30, 2008, http://www.eweek.com/c/a/IT-Infrastructure/Wall-Streets- Collossal-Risk-Management-Failure (quoting Art Coviello, president of EMC Corporation's RSA Security division);
280. see also The Un-Gilded Age, http://brilliantleap.com/blog/2008/10/the- ungilded-age.html (Oct. 1, 2008, 22:23 EST) (acknowledging the validity of Art Coviello's comments in eWeek as to external data-security threats but questioning whether the technological methods can be effectively applied to mitigate internal risks stemming from ignorant or intentionally harmful employee behavior).
281. CORPORATE BD. MEMBER & PRICEWATERHOUSECOOPERS LLP, WHAT DIRECTORS THINK: A SPECIAL RESEARCH STUDY 2008, at 5 fig.4 (2008), available at http://www.boardmember.com/Article-Details.aspx?id=2267.
282. See MARTIN HEIDEGGER, The Question Concerning Technology, in THE QUESTION CONCERNING TECHNOLOGY AND OTHER ESSAYS 3, 19-21 (William Lovitt trans., 1977) (describing the notion of "Gestell," or "enframing," as "the essence of modern technology");
283. see also CLAUDIO CIBORRA, THE LABYRINTHS OF INFORMATION: CHALLENGING THE WISDOM OF SYSTEMS 74-78 (2002) (exploring Heidegger's notion in the context of information systems).
284. Mary L. Cummings, Automation and Accountability in Decision Support System Interface Design, 32 J. TECH. STUD. 23, 25 (2006);
285. see also J. Elin Bahner et al., Misuse of Automated Decision Aids: Complacency, Automation Bias and the Impact of Training Experience, 66 INT'L J. HUM.-COMPUTER STUD. 688, 688-89 (2008) (discussing increased "complacency" in the form of a reduction in the amount of information sampled in order to verify automated recommendations).
286. Eugenio Alberdi et al., Use of Computer-Aided Detection (CAD) Tools in Screening Mammography, 79 BRIT. J. RADIOLOGY S31, S33 (2005).
287. Steven T. Schwartz & David E. Wallin, Behavioral Implications of Information Systems on Disclosure Fraud, 14 BEHAV. RES. ACCT. 197, 219 (2002);
288. see also Shigeyuki Goto, The Bounds of Classical Risk Management and the Importance of a Behavioral Approach, 10 RISK MGMT. & INS. REV. 267, 276-77 (2007) (discussing the potential role of an imperfect risk model in enhancing the effect of actors' biased judgments).
289. See Scheytt et al., supra note 205, at 1333 ("If partial explanations of events which suit interested parties become institutionally accepted as legitimate, organizational reform processes may follow a logic which increases rather than decreases risk.").
290. See Paul J. DiMaggio & Walter W. Powell, The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields, 48 AM. SOC. REV. 147, 152 (1983) ("Organizations tend to model themselves after similar organizations in their field that they perceive to be more legitimate or successful.");
291. W. Richard Scott & John W. Meyer, The Organization of Societal Sectors, in ORGANIZATIONAL ENVIRONMENTS: RITUAL AND RATIONALITY 129, 140 (John W. Meyer & W. Richard Scott eds., 1983) ("Institutional sectors are characterized by the elaboration of rules and requirements to which individual organizations must conform if they are to receive support and legitimacy from the environment.").
292. See Lauren B. Edelman et al., The Endogeneity of Legal Regulation: Grievance Procedures as Rational Myth, 105 AM. J. SOC. 406, 416 (1999) (contending that, in the context of grievance procedures, "myths [of rationality] originate from models that have already been institutionalized in other social arenas ⋯ [that] influence law and, hence, market forces");
293. Lauren B. Edelman et al., Internal Dispute Resolution: The Transformation of Civil Rights in the Workplace, 27 LAW & SOC'Y REV. 497, 529 (1993) (characterizing organizational complaint handlers' approaches to handling discrimination complaints as "[subsuming] law within the managerial realm ⋯ [and] transforming [law] into a diffuse standard of fairness");
294. cf. JANET M. TAKAVOLI, DEAR MR. BUFFETT: WHAT AN INVESTOR LEARNS 1,269 MILES FROM WALL STREET 38 (2008) (quoting an internal Berkshire Hathaway memo from Warren Buffett as reading, "The five most dangerous words in business may be 'Everybody else is doing it.'").
295. See Scheytt et al., supra note 205, at 1333 ("[S]table climates of probabilistic reasoning in risk management are challenged by the transformation of side-effects into new risk 'objects' ⋯ .").
296. See BARDACH & KAGAN, supra note 37, at 64-66 (arguing that most regulated enterprises are "good apples" that wish to comply with regulation);
297. see also J.B. Ruhl & James Salzman, Mozart and the Red Queen: The Problem of Regulatory Accretion in the Administrative State, 91 GEO. L.J. 757, 805 (2003) (describing the problem of regulatory accretion, whereby the "system burdens" arising from the collective operation of rules thwart a regulated organization's ability to comply).
298. PAUL VIRILIO, THE ORIGINAL ACCIDENT 5 (2007);
299. see also id. ("The shipwreck is consequently the 'futurist' invention of the ship, and the air crash the invention of the supersonic airliner, just as the Chernobyl meltdown is the invention of the nuclear power station.");
300. CHARLES PERROW, NORMAL ACCIDENTS: LIVING WITH HIGH-RISK TECHNOLOGIES 3-5 (1984) (asserting that complex technological systems will inevitably fail and therefore produce "normal accidents").
301. See Erik F. Gerding, Code, Crash, and Open Source: The Outsourcing of Financial Regulation to Risk Models and the Global Financial Crisis, 84 WASH. L. REV. 127, 179 (2009) (discussing the ways that individuals "adapt to the set of legal rules designed to constrain their behavior" and explaining that "[o]ne adaptive response is to game-risk models").
302. See Kimberly D. Krawiec, Accounting for Greed: Unraveling the Rogue Trader Mystery, 79 OR. L. REV. 301, 308-13 (2000) (describing the internal system of incentives for financial traders that provides a rational reason to engage in risky behavior). See generally Kimberly D. Krawiec, The Return of the Rogue, 51 ARIZ. L. REV. 127, 128-33 (2009) (describing how selfregulatory regimes such as Basel II failed to address those incentives).
303. See supra notes 51-54 and accompanying text (discussing the regulations and requirements associated with HIPAA).
304. Adam Barth et al., Privacy and Utility in Business Processes, 20 IEEE COMPUTER SECURITY FOUND. SYMP. 279, 292 (2007).
305. See id. at 292-93 (deriving a general theory of how compliance systems can be used effectively to promote HIPAA compliance, in part by reference to the important work done on the MyHealth@Vanderbilt web-based patient portal built and used at the Vanderbilt Medical Center). 246. G.W. van Blarkom et al., PET, in HANDBOOK OF PRIVACY AND PRIVACY-ENHANCING TECHNOLOGIES: THE CASE OF INTELLIGENT SOFTWARE AGENTS 33, 49 (G.W. van Blarkom et al. eds., 2003), available at http://www.andrewpatrick.ca/pisa/handbook/Handbook-Privacy-and-PET- final.pdf.
306. See id. at 34 ("PET stands for a coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system. PET incorporated systems use Identity Protectors and divide systems into identity, pseudo-identity and anonymity domains." (citation omitted)).
307. Kenneth A. Bamberger & Deirdre K. Mulligan, Reframing Privacy: Regulators and Firms in the Evolution of a New American Metric 6-8 (Feb. 1, 2010) (unpublished manuscript, on file with author).
308. See generally HELEN NISSENBAUM, PRIVACY IN CONTEXT: TECHNOLOGY, POLICY AND THE INTEGRITY OF SOCIAL LIFE 2-3 (2009) (describing the importance of context in determining whether information is used appropriately, and therefore for meaningful privacy protection).
309. A. Barth et al., Privacy and Contextual Integrity: Framework and Applications, 2006 IEEE SYMP. ON SECURITY & PRIVACY 184, 184.
310. See, e.g., Press Release, Agiliance Inc., Agiliance Announces a Unified Privacy Management Solution (Sept. 16, 2009), available at http://www.agiliance. com/events/pr-20090916-UPM.html (introducing new technology that offers integrated and comprehensive privacy compliance on a single platform).
311. See generally Herbert Burkert, Privacy-Enhancing Technologies: Typology, Critique, Vision, in TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE 125, 130-36 (Philip E. Agre & Marc Rotenberg eds., 1998) (describing the limitations of PETs).
312. See, e.g., Lisa Vaas, Microsoft Gets Religious About Data Anonymization, CIO INSIGHT, July 24, 2007, http://www.cioinsight.com/c/a/Past-News/Microsoft- Gets-Religious-About-Data-Anonymization/(reporting the anonymization efforts of Microsoft and Google in their search and online-advertising functions).
313. See Latanya Sweeney, Uniqueness of Simple Demographics in the U.S. Population (Carnegie Mellon Univ., Sch. of Computer Science, Data Privacy Lab., Technical Report LIDAPWP4, 2000) (demonstrating the ability to identify uniquely 87% of the 1990 U.S. Census population using only gender, zip code, and full date of birth).
314. See Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L. REV. (forthcoming 2010) (manuscript at 42-43, on file at http://ssrn. com/abstract=1450006) (rejecting the idea that anonymization technology can overcome reidentification techniques).
315. See Marsha Cochrane et al., Industry Changes in the Market for Mortgage Loans, 41 CONN. L. REV. 1143, 1153 (2009) (listing automated underwriting tools as one of several recent innovations in the mortgage market).
316. See Aaron Unterman, Innovative Destruction-Structured Finance and Credit Market Reform in the Bubble Era, 5 HASTINGS BUS. L.J. 53, 96-97 (2009) (explaining that by maintaining unrealistic assumptions about housing-market price growth-even in light of the market's decline and well-known use of highly risky alternative mortgage products-credit-rating agencies misevaluated the subprime and structured finance market).
317. Steven Pearlstein, Credit Market's Weight Puts Economy on Shaky Ground, WASH. POST, Aug. 1, 2007, at D1.
318. See Jeffrey Manns, Rating Risks After the Subprime Mortgage Crisis: A User Fee Approach for Rating Agency Accountability, N.C. L. REV. 1011, 1036 (2009) (noting that creditdefault swaps are insurance against default).
319. Eamonn K. Moran, Wall Street Meets Main Street: Understanding the Financial Crisis, 13 N.C. BANKING INST. 5, 42 (2009).
320. See id. at 56 (asserting that even securities firms, which are typically held to lower requirements than banks themselves, are still subject to the capital requirements if they are owned by a bank or financial holding institution).
321. See Brady Dennis & Robert O'Harrow Jr., Financial Crisis: Complex Deals Veiled Risk for AIG, L.A. TIMES, Jan. 1, 2009, at C1 (describing how AIG relied on a consultant computer model that calculated risks when it began investing in credit-default swaps in 1998 and how the model projected a "99.85% chance of never having to pay out"-so remote "that the fees were almost free money").
322. See id. (explaining that private CDSs allowed a greater amount of financing and leveraging than regulators allowed for publicly traded debt).
323. Benton E. Gump & Thomas Lutton, Potential Effects of Fair Value Accounting on US Bank Regulatory Capital, 19 J. APPLIED FIN. 38, 39 (asserting that Federal Accounting Standards Rule 157-now recodified at ASC Topic 820-requires point estimates).
324. See, e.g., Dennis & O'Harrow, supra note 262 (describing the computer program AIG used to calculated the risk of CDSs).
325. Ricardo Adrogué, Fiscal Sustainability: A Value-at-Risk Approach, in CENTRAL AMERICA: GLOBAL INTEGRATION AND REGIONAL COOPERATION 59, 67 (Marcus Rodlauer & Alfred Schipke eds., 2005).
326. Thomas J. Linsmeier & Neil D. Pearson, Value at Risk, 56 FIN. ANALYSTS J. 47, 47 (2000).
327. Adrogué, supra note 266, at 67.
328. Id.
329. Michael C. Macchiarola, Beware of Risk Everywhere: An Important Lesson from the Current Credit Crisis, 5 HASTINGS BUS. L.J. 267, 294 n.134 (2009).
330. See id. at 294 (criticizing the various VaR models' reliance on previously observed correlations).
331. See RiskMetrics Group, Company History, http://www.riskmetrics.com/ history (providing the history of the company RiskMetrics, which began as an internal risk-management function of JP Morgan and developed the VaR model in 1994).
332. PHILIPPE JORION, VALUE AT RISK: THE NEW BENCHMARK FOR MANAGING FINANCIAL RISK 366 (2d ed. 2001).
333. Steven L. Schwarz, Rethinking the Disclosure Paradigm in a World of Complexity, 2004 U. ILL. L. REV. 1, 8-9.
334. Disclosure of Accounting Policies for and Quantitative and Qualitative Information About Market Risk Inherent in Derivative Financial Instruments and Derivative Commodity Instruments, Securities Act Release No. 7386, Exchange Act Release No. 38,223, Investment Company Act Release No. 22,487, 62 Fed. Reg. 6044, 6065 (Feb. 10, 1997) (codified at 17 C.F.R. § 229.305(a)(1)(iii)(A) (2009)).
335. JORION, supra note 273, at 71-74.
336. See Caitlyn Zaloom, Markets and Machines: Work in the Technological Sensoryscapes of Finance, 58 AM. Q. 815, 815 (2006) (highlighting the movement from face-to-face deals on the trading floor to digital deal rooms during the 1990s).
337. FAIR VALUE MEASUREMENTS, Accounting Standards Codification Topic 820-10-35 (Fin. Accounting Standards Bd. 2009).
338. See Nocera, supra note 1, at 26, 28-29 (contending that VaR was unable to accurately gauge the risk of mortgage-backed securities because VaR is based on a limited two-year data history);
339. cf. The Risks of Financial Modeling: VaR and the Economic Meltdown: Hearing Before the Subcomm. on Investigations & Oversight of the H. Comm. on Science & Technology, 111th Cong. 5-6 (2009) (statement of Christopher Whalen, Managing Director, Institutional Risk Analytics) (arguing that Wall Street used the "alchemy of financial modeling" to create and hide risk).
340. Nancy Stein, Prof. John Coffee on the Crisis, LAWDRAGON, http://www.lawdragon.com/index.php/newdragon/fullstory/prof-john-coffee-on-the- crisis.
341. Matt Taibbi, The Big Takeover, ROLLING STONE, Apr. 2, 2009, at 66, 71.
342. SEC. EXCH. COMM'N, SEC REPORT NO. 446-A, SEC'S OVERSIGHT OF BEAR STEARNS AND RELATED ENTITIES: THE CONSOLIDATED SUPERVISED ENTITY PROGRAM 22 (2008), available at http://finance.senate.gov/press/Gpress/2008/prg092608i.pdf.
343. Id.
344. Gerding, supra note 241, at 179-80 (quoting Nocera, supra note 1, at 46). See generally RENÉ M. STULZ, RISK MANAGEMENT AND DERIVATIVES 621 (2003) (explaining that VaR can be biased not only because of "implementation problems" but also "for a more fundamental reason if we are assuming the wrong distribution for the portfolio return").
345. See Taleb, supra note 33.
346. See Rob Jameson, How the Risk Models Failed the World's Banks: Why Didn't the Banking Industry Foresee the Crisis that Afflicts It?, NEW SCIENTIST, Sept. 27, 2008, at 8, 9 (observing that because risk-analysis systems only used recent U.S. data, they were unable to recognize the catastrophic effect that a nationwide downturn in housing prices would have on the banking system);
347. Nocera, supra note 1, at 28-29 (noting that Black Monday, Oct. 19, 1987-the date of the largest one-day stock-market-percentage decline in history-has been used as a worstcase scenario in many risk models and observing that risk analysis based on the culmination of the housing bubble in 2005-2006 was inadequate to predict what happened to the markets in 2007- 2008).
348. VaR is thus geared towards measuring "Knightian risk," which involves situations where probabilities are given. VaR is not geared towards "Knightian uncertainty" (which refers to situations in which possible outcomes can be identified but probabilities are not measurable), FRANK H. KNIGHT, RISK, UNCERTAINTY AND PROFIT 19-20 (1921),
349. or towards situations involving "structural ignorance" (where outcomes are neither naturally given nor easily constructed by the decisionmaker), ITZHAK GILBOA & DAVID SCHMEIDLER, A THEORY OF CASE-BASED DECISION 45 (2001).
350. See Gerding, supra note 241, at 141 (explaining that, in order to calculate VaR, modelers must and do make one of three assumptions: that the distribution of risk is normal, that it is based on historical patterns, or that it follows the prediction of a Monte Carlo simulation).
351. Taleb, supra note 33.
352. See Stephen Labaton, Agency's '04 Rule Let Banks Pile on New Debt, N.Y. TIMES, Oct. 3, 2008, at A1 (discussing the economic effects of the SEC's 2004 decision to raise the amount of debt investment banks could take on and its corresponding reliance on self-regulation).
353. Robert O'Harrow Jr. & Brady Dennis, A Crack in the System, WASH. POST, Dec. 30, 2008, at A1. The computer models developed by Yale University business professor Gary Gorton forecasted that the only scenario in which AIG would have to pay out was in the case of a fullblown depression, in which case the counterparties would go bankrupt and would not likely demand payment. Id.;
354. see also American International Group, Annual Report (Form 10-K), at 129 (Dec. 31, 2007) ("AIG did not maintain, in all material respects, effective internal control over financial reporting ⋯ because a material weakness in internal control over financial reporting related to the AIGFP super senior credit default swap portfolio valuation process and oversight thereof existed as of that date.").
355. Robert O'Harrow Jr. & Jeff Gerth, As Crisis Loomed, Geithner Pressed but Fell Short, WASH. POST, Apr. 3, 2009, at A1.
356. Steve Kroft, The Bet that Blew Up Wall Street: Steve Kroft on Credit Default Swaps and Their Central Role in the Unfolding Economic Crisis, 60 MINUTES, Aug. 27, 2009, http://www.cbsnews.com/stories/2008/10/26/60minutes/ main4546199.shtml.
357. E.g., Roger Brownsword & Karen Yeung, Introduction to REGULATING TECHNOLOGIES: TOOLS, TARGETS AND THEMATICS, supra note 220, at 7, 13 (distinguishing between legal issues arising from the use of technology as a "regulatory tool" and those involved with technology as a "regulatory target").
358. See generally Bert-Jaap Koops, Criteria for Normative Technology: The Acceptability of 'Code as Law' in Light of Democratic and Constitutional Values, in REGULATING TECHNOLOGIES: TOOLS, TARGETS AND THEMATICS, supra note 220, at 157, 158 (coining the term).
359. More synthetic accounts of technological functionalities and potential regulatory responses can be found, for example, at Jay P. Kesan & Rajiv C. Shah, Shaping Code, 18 HARV. J.L. & TECH. 319 (2005) and Koops, supra note 295.
360. See also Reidenberg, supra note 31, at 588-91, for an examination of ways in which public policy can change code.
361. LESSIG, supra note 31, at 341-45.
362. See JACK GOLDSMITH & TIM WU, WHO CONTROLS THE INTERNET?: ILLUSIONS OF A BORDERLESS WORLD 153 (2006) ("Technologies of control designed to serve legitimate and desired ends can rarely be limited to those ends, and will often be co-opted for illegitimate purposes."). The more important lesson is that the Internet is not, as many in the 1990s believed, "an unstoppable juggernaut that will overrun the old and outdated determinants of human organization." Id. at 183. To the contrary, the Internet itself is taking on the characteristics-good and bad-of the governments and people beneath it in different parts of the world.
363. See id. at 184 ("[T]he openness of the network is contingent, and one of the most important things it is contingent on is governmental coercion that demands a unique architecture.").
364. See Koops, supra note 295, at 158 & n.2 (noting that all technology inherently "has a regulatory effect on people's behavior" but arguing that the crucial innovation in normative technology is that it "contains intentionally built-in rules").
365. Cf. id. at 159 (noting that the broader category of normative technology includes both "norm-establishing" and "norm-enforcing" incarnations).
366. Digital Millennium Copyright Act, 17 U.S.C. § 112(f)(2)(B) (2006).
367. See generally Pamela Samuelson, Intellectual Property and the Digital Economy: Why the Anti-circumvention Regulations Need to Be Revised, 14 BERKELEY TECH. L.J. 519 (1999) (discussing legal constraints on circumvention of such private-rights-enforcing controls).
368. See LESSIG, supra note 31, at 116 (describing DRM, such as Apple's "fairplay" encoding of iTunes songs, as technologies that "add code to digital content that disables the simple ability to copy or distribute that content-at least without the technical permission of the DRM technology itself").
369. For example, from 2006 until 2007, Sony BMP sold CDs containing covert DRM software that embedded itself on a user's computer. The software created security vulnerabilities, completely blocked the user's ability to copy music, and reported personal information about the user back to Sony-all with no notice to the user. Once discovered, Sony was charged with various deceptive trade practices and eventually consented to a settlement with the FTC allowing users to exchange all of the sold CDs, provide clear labeling of all future DRM software on CD packaging, and reimburse consumers for damages to their computers. Press Release, FTC, Sony BMG Settles FTC Charges (Jan. 30, 2007), available at http://www.ftc.gov/opa/2007/01/sony.shtm.
370. See generally Deirdre K. Mulligan & Aaron K. Perzanowski, The Magnificence of the Disaster: Reconstructing the Sony BMG Rootkit Incident, 22 BERKELEY TECH. L.J. 1157, 1165 (2007) (discussing "the market, technological, and legal factors that appear to have led a presumably rational actor [Sony] toward a strategy that in retrospect appears obviously and fundamentally misguided").
371. See generally 17 U.S.C. § 107 (providing for copyright's fair-use exception).
372. LESSIG, supra note 31, at 187.
373. Julie E. Cohen, DRM and Privacy, 18 BERKELEY TECH. L.J. 575, 615 (2003).
374. See Molly Schaffer Van Houweling, Communications' Copyright Policy, 4 J. ON TELECOMM. & HIGH TECH L. 97, 98-99 (2005) (advocating a role for the FCC in balancing the extent of copyright protection).
375. Dan L. Burk & Julie E. Cohen, Fair Use Infrastructure for Rights Management Systems, 15 HARV. J.L. & TECH. 41, 65-67 (2001).
376. Danielle Keats Citron, Open Code Governance, 2008 U. CHI. LEGAL F. 355, 365;
377. Joseph Lorenzo Hall, Policy Mechanisms for Increasing Transparency in Electronic Voting (2008) (unpublished Ph.D. dissertation, Univ. Cal., Berkeley).
378. See generally Pamela Samuelson & Jason Schultz, Should Copyright Owners Have to Give Notice About Their Use of Technical Protection Measures? 6 J. ON TELECOM. & HIGH TECH. L. 41, 59-65 (2007) (discussing generally the lack of transparency of technology protection measures).
379. See Citron, supra note 204, at 1260-67 (describing the design, implementation, and hurdles of automated-decision systems used for public-benefit programs such as Colorado's state benefits, the Food Stamp Act, and the National School Lunch Program).
380. See Citron, supra note 309, at 357 ("Because these systems' software is proprietary, the source code-the programmers' instructions to the computer-is secret.").
381. Id.
382. See, e.g., Citron, supra note 204, at 1258, 1278-1300 (arguing that automated benefitsmanagement systems jeopardize due process norms);
383. see also Erin Murphy, Paradigms of Restraint, 57 DUKE L.J. 1321, 1393-1411 (2008) (arguing that governmental substitution of technological for physical systems for restraint of dangerous persons merits constitutional scrutiny).
384. See Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 747 (enhancing oversight responsibility for U.S. public-company boards);
385. In re Caremark Int'l Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996) (stating that "a director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists," and that it is impossible for directors to satisfy their obligation to be reasonably informed about the corporation's operations without doing so).
386. See Bamberger, supra note 13, at 386-89 (asserting that technology and other complex fields cannot achieve multifaceted goals under traditional rule-based mandates, so experts have increasingly promoted regulation through "incomplete" regulatory instruments that provide greater flexibility and focus on performance instead of concrete rules).
387. See Robert Bartlett, Financial Crises and the Perils of "Safe" Credit 1-3 (Nov. 6, 2009) (unpublished manuscript, on file with author) (discussing the ways in which financial crises frequently arise as a result of a consensus regarding assessments as to which investments are "safe," the resulting nondiversified investment choices, and the surprising failures in such "safe" markets).
388. In the words of the Supreme Court, a decisionmaker's arbitrary-and therefore illegitimate-exercise of delegated discretion is that which "relie[s] on factors which Congress [or agencies] ha[ve] not intended it to consider, entirely fail[s] to consider an important aspect of the problem, offer[s] an explanation for its decision that runs counter to the evidence before the agency, or is so implausible that it could not be ascribed to a difference in view or the product of [decisionmaker] expertise."
389. See Motor Vehicle Mfrs. Ass'n v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 43 (1983) (observing that the presence of any of these four factors makes a rule of an agency operating under a mandate from Congress arbitrary).
390. Michael C. Dorf, The Domain of Reflexive Law, 103 COLUM. L. REV. 384, 384 (2003) (reviewing JEAN L. COHEN, REGULATING INTIMACY: A NEW LEGAL PARADIGM (2002));
391. see also Michael C. Dorf & Charles F. Sabel, A Constitution of Democratic Experimentalism, 98 COLUM. L. REV. 267, 322 (1998) (advocating the continuous exchange of operating information, which would undermine novel self-dealing);
392. Bradley C. Karkkainen et al., After Backyard Environmentalism: Toward a Performance-Based Regime of Environmental Regulation, 44 AM. BEHAV. SCIENTIST 692, 692-94 (2000) (providing, in the environmental context, a model in which administrative agencies develop the architecture for gathering and analyzing information across local contexts as a part of the regulatory and education process).
393. See generally Lobel, supra note 43, at 352-55 (providing an account of this body of scholarship).
394. Dorf, supra note 318, at 384.
395. See Kimberly D. Krawiec, Cosmetic Compliance and the Failure of Negotiated Governance, 81 WASH. U. L.Q. 487, 487 (2003) (arguing that these models of regulation "do not deter prohibited conduct within firms and may largely serve a window-dressing function that provides both market legitimacy and reduced legal liability");
396. see also Bamberger, supra note 13, at 435 ("Once firm decisionmakers know the particular rules for reaching a regulatory safe harbor, and once those approaches have been integrated into corporate understandings of the compliance environment, agency review is likely to exacerbate, rather than ameliorate, pathologies of routinized behavior.");
397. Kimberly D. Krawiec, Organizational Misconduct: Beyond the Principal-Agent Model, 32 FLA. ST. U. L. REV. 571, 598-99 (2005) (arguing that organizations have perverse incentives to implement ineffective compliance programs).
398. Rubin, supra note 39, at 387;
399. see also id. ("Rather than perceiving the government demand as a single cost, the corporation's process of self-understanding may lead it ⋯ to develop a relationship based on genuine compliance.").
400. A discussion of regulatory transparency under the Basel II regime follows.
401. See also, e.g., 15 U.S.C. § 7262 (2006) (requiring the annual reports of issuers of registered securities to include statements of responsibility for and assessment of internal control structures and procedures for financial reporting (Sarbanes-Oxley));
402. id. § 6808 (ordering a study of the information-sharing practices of financial institutions, including the extent and adequacy of their security protections for customers' personal information (Gramm-Leach-Bliley));
403. INTERNAL MKT. & SERVS. DG, EUROPEAN COMM'N, 'SOLVENCY II': FREQUENTLY ASKED QUESTIONS 7 (2009), available at http://ec.europa.eu/internal-market/ insurance/docs/solvency/solvency2/faq-en.pdf (requiring insurers to have an "adequate and transparent governance system" and noting that review of governance and risk-management systems will be central to the "supervisory review process" (Solvency II)).
404. BASEL, A REVISED FRAMEWORK, supra note 65, at 148-54.
405. Risk-Based Capital Standards: Advanced Capital Adequacy Framework-Basel II, 72 Fed. Reg. 69,288, 69,289 (Dec. 7, 2007) (to be codified at 12 C.F.R. pt. 3).
406. Capital Adequacy Standards for Bank Holding Companies, 12 C.F.R. pt. 225, app. G, § 71 (2009);
407. see also id. § 1 tbl.11.3 (Capital Adequacy) (requiring "[a] summary discussion of the ⋯ approach to assessing the adequacy of its capital to support current and future activities");
408. id. § 1 tbl.11.9 (Operational Risk) (requiring a "[d]escription of the [advanced measurement approaches used], including a discussion of relevant internal and external factors considered in the bank holding company's measurement approach," and a "description of the use of insurance for the purpose of mitigating operational risk").
409. Risk-Based Capital Standards: Advanced Capital Adequacy Framework-Basel II, 72 Fed. Reg. at 69,386.
410. "A sound [advanced measurement] framework combines four sources of information: 1. Internal operational risk loss data 2. Relevant external operational risk loss data 3. Scenario analysis of expert opinion [and] 4. Bank-specific business environment and internal control factors." Jean-Phillippe Peters & George Huebner, Modeling Operational Risk Based on Multiple Experts
411. Opinions, in OPERATIONAL RISK TOWARD BASEL III: BEST PRACTICES AND ISSUES IN MODELING, MANAGEMENT, AND REGULATION 3, 4 (Greg N. Gregoriou ed., 2009). Nevertheless, the Basel II framework leaves discretion as to how to combine them, and there are neither formal, nor generally accepted, methodologies for their reporting.
412. Guy Ford et al., Operational Risk Disclosure in Financial Services Firms, in OPERATIONAL RISK TOWARD BASEL III: BEST PRACTICES AND ISSUES IN MODELING, MANAGEMENT, AND REGULATION, supra, at 381, 384.
413. Risk-Based Capital Standards: Advanced Capital Adequacy Framework-Basel II, 72 Fed. Reg. at 69,386.
414. Id.
415. Id. The SEC's Regulation S-K thus requires disclosure of only "description[s]" of underlying financial models used in assessing periodic financial filings.
416. See, e.g., 17 C.F.R. § 229.305(a)(ii)(B) (2009) (providing that "[r]egistrants shall provide a description of the model, assumptions, and parameters");
417. id. § 229.305(a)(iii)(B)(1)(i) (requiring provision of "[t]he average, high and low amounts, or the distribution of the value at risk amounts for the reporting period"). 331.
418. See Melissa Klein Aguilar, Report: Disclosures on ERM Lacking, COMPLIANCE WEEK: THE FILING CABINET, June 30, 2009, http://www.complianceweek.com/blog/ aguilar/2009/06/30/report-disclosures-on-erm-lacking (summarizing a study of 4,162 companies conducted by GovernanceMetrics International (GMI) finding a lack of standardized disclosure-and often of any disclosure-of company-wide risk management);
419. Press Release, GovernanceMetrics Int'l, GMI Looks at Corporate Boards and Risk Oversight: Investors Need Greater Transparency (June 29, 2009), available at http://gmiratings.com/release-GMI-Boards-Risk-Oversight-6-29-09.pdf (noting that of the 4,162 companies surveyed, only 33.1% comprehensively disclose their riskmanagement policies).
420. See, e.g., Financial Disclosure by Clinical Investigators, 21 C.F.R. § 54 (2009) (requiring disclosure of financial interests of clinical investigators in the success or failure of the drugs they are testing).
421. FED. RESERVE SYS., THE SUPERVISORY CAPITAL ASSET PROGRAM: DESIGN AND IMPLEMENTATION 1-2 (2009).
422. For further explanation of policy mechanisms for promoting disclosure of computer code in the context of voting technology, see generally Hall, supra note 309.
423. Erik Gerding in fact argues that such technology should be fully open source. Gerding, supra note 241, at 179.
424. See SEC Final Rule: Interactive Data to Improve Financial Reporting, Securities Act Release No. 9002, Exchange Act No. 59,324, Trust Indenture Act Release No. 2461, Investment Company Act Release No. 28,609, 74 Fed. Reg. 6776, (Feb. 10, 2009) (to be codified at 17 C.F.R. §§ 229, 230, 232, 239, 240 & 249) (setting forth a three-year, phased-in implementation schedule of XBRL for various types of companies);
425. Kate Plourd, SAP Plays the Data Tagging Game, CFO.COM, Feb. 20, 2009, http://www.cfo.com/article.cfm/13144083/c-2984312/?f=archives (documenting efforts of major GRC vendors like SAP to provide XBRL tools in their software);
426. SEC, Interactive Data Viewers, http://www.sec.gov/spotlight/xbrl/viewers. shtml (providing the Rendering Engine source code).
427. FDA Transparency Task Force, Notice of Public Meeting, 74 Fed. Reg. 26,712, 26,713 (June 3, 2009).
428. See generally ANNELISE RILES, Placeholders: Engaging the Hayekian Critique of Financial Regulation, in COLLATERAL KNOWLEDGE: LEGAL REASONING IN THE GLOBAL FINANCIAL MARKETS ch. 5 (forthcoming 2010), available at http://ssrn.com/abstract=1492065 (discussing the truth of Friedrich Hayek's insight that public expertise, or bureaucratic knowledge, is inherently one step behind the market, preventing effective market planning, but arguing on the other hand that the flaws of private decisionmaking justify enhancing regulatory capacity nonetheless).
429. See O'Harrow & Gerth, supra note 292 (detailing how, because of limited resources, N.Y. Federal Reserve Chief Tim Geithner was entirely reliant on the assessments of big banks about their activities).
430. See, e.g., Elizabeth A. Nowicki, 10(b) or Not 10(b)?: Yanking the Security Blanket for Attorneys in Securities Litigation, 2004 COLUM. BUS. L. REV. 637, 710-11 (describing how chronic understaffing at the SEC limits its enforcement abilities);
431. Jay W. Verret, Dr. Jones and the Raiders of Lost Capital: Hedge Fund Regulation, Part II, a Self-Regulation Proposal, 32 DEL. J. CORP. L. 799, 817 (2007) (illustrating why hedge-fund regulators trail private actors in technical competence regarding new financial products).
432. See, e.g., Nowicki, supra note 340, at 709-11 (asserting that pressures on the SEC prevent effective regulation because SEC lawyers are hesitant to regulate their peers and upset the private bar);
433. O'Harrow & Gerth, supra note 292 (explaining that bank regulators at the Federal Reserve Bank of New York may have been too closely tied to private financial institutions to effectively oversee and enforce risk-management regulations against those institutions).
434. See Dep't of Homeland Sec. Privacy Office, Data Integrity, Privacy, and Interoperability Advisory Committee, 69 Fed. Reg. 18,923 (Apr. 9, 2004) (providing notice of the establishment of the Data Integrity, Privacy, and Interoperability Advisory Committee, and outlining its structure and purpose);
435. Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy Decisionmaking in Administrative Agencies, 75 U. CHI. L. REV. 75, 104-05 (2008) (discussing the role of the Committee in DHS's compliance with the Privacy Impact Assessment requirements of the E-Government Act of 2002).
436. See O'Harrow & Gerth, supra note 292 (relaying that a confidential review by N.Y. Federal Reserve Bank discovered that "banking companies could not properly assess their exposure to a severe economic downturn and were relying on the 'intuition' of banking executives rather than hard quantitative analysis").
437. Dorf & Sabel, supra note 318, at 350.
438. See Bamberger, supra note 13, at 465 (pointing to the regulatory model-settlement agreements, which "are characterized not just by cooperation, but by cooperation 'in the shadow' of enforcement").
439. See Stephen A. Raymond & Gerald F. Meyer, Interpretation of Regulatory Requirements by Technology Providers, 11 APPLIED CLINICAL TRIALS 50, 50-51 (2002) (noting that with the help of clinical-trial sponsors and technology providers, the FDA developed regulations to facilitate the use of computer systems and data-processing technology in the submission of clinical trials).
440. Fed. Trade Comm'n, Technologies for Protecting Personal Information, http://www.ftc.gov/bcp/workshops/technology/index.shtm.
441. See FTC Public Workshops Notice, 68 Fed. Reg. 8904 (Feb. 26, 2003) (announcing two public workshops on securing personal information).
442. See Fed. Trade Comm'n, supra note 347.
443. See Daniel Carpenter & Justin Grimmer, Approval Regulation and the Endogenous Provision of Confidence: Theory and an Analogy Between Financial Safety and Regulation 3 (Apr. 13, 2009) (unpublished manuscript, on file at http://www.tobinproject.org/welcome/conference-theory/papers/ TheTobinProject-CarpenterGrimmer.pdf) (discussing aspects of safety regulations that can be applied to financial governance).
444. Cynthia A. Glassman, Comm'r, SEC, Remarks at the Practicing Law Institute-SEC Speaks (Feb. 28, 2003) (transcript available at http://www.sec.gov/news/speech/spch022803cag.htm).
445. Bamberger, supra note 13, at 385.
446. Mark Jensen, Nat'l Dir., Deloitte LLP Venture Capital Servs. Group, The Impact of Rule 404 and the Accounting Oversight Board, Panel Presentation at the Conference on Post-Enron Corporate Regulation: Has the Pendulum Swung Too Far-or Not Far Enough? at the University of California at Berkley, Boalt School of Law (Mar. 17, 2006).
447. See, e.g., Murray G. Millar & Abraham Tesser, Thought-Induced Attitude Change: The Effects of Schema Structure and Commitment, 51 J. PERSONALITY & SOC. PSYCHOL. 259, 269 (1986) (suggesting that the complexity of cognitive schema-together with the existence or nonexistence of a prior commitment to a particular attitude toward an object-determine the subsequent polarization of attitudes toward that object);
448. Angelo C. Valenti & Abraham Tesser, On
449. the Mechanism of Thought-Induced Attitude Change, 9 SOC. BEHAV. & PERSONALITY 17, 21 (1981) (suggesting that a self-generated change in a subject's attitude toward an object is substantially affected by a change in the subject's cognitive schema);
450. see also Mark D. Burdick et al., The Ameliorating Effects of Accountability on Automation Bias, 3 SYMP. ON HUM. INTERACTION WITH COMPLEX SYS., 142, 142 (1996) (finding, in airplane cockpit testing, that "subjects who perceived themselves as accountable for their accuracy or performance were significantly less likely to fall victim to automation bias").
451. See, e.g., Mark D. Burdick et al., The Debiasing Effects of Accountability and Feedback on Automation Bias, 41 HUM. FACTORS & ERGONOMICS SOC'Y 1407, 1407 (1997) (finding that "participants high in perceived accountability made fewer omission errors than those low in perceived accountability while participants who received performance feedback made more correct responses than did those who received no feedback");
452. L.J. Skitka et al., Accountability and Automation Bias, 52 INT'L J. HUM.-COMPUTER STUD. 701, 714-15 (2000) (suggesting that increased social accountability of decisionmakers using automated aids may lower the risk of error that results from the reduced situation awareness caused by those aids).
453. See, e.g., Daniel M. Berry, The Importance of Ignorance in Requirements Engineering: An Earlier Sighting and a Revisitation, 60 J. SYS. & SOFTWARE 83, 83 (2002) (discussing the importance of including a "smart ignoramus" in the requirements-engineering process whose "ignorant, not stupid," questions expose tacit assumptions of the programmers).
454. See, e.g., Batya Friedman & Peter H. Kahn, Jr., Human Agency and Responsible Computing: Implications for Computer System Design, 17 J. SYS. & SOFTWARE 7, 11 (1992) (discussing the importance of ensuring that technology systems, like those involved in assessing whether to remove life support, are used as a consultation tool to aid in the decision of removing life support rather than as a fully "closed loop" decision system).
455. Skitka et al., supra note 355, at 715.
456. See generally Daniel A. Farber, Confronting Uncertainty Under NEPA (Univ. Cal. Berkeley Pub. Law and Legal Theory Research Paper Series, Research Paper No. 1403723, 2009), available at http://papers.ssrn.com/sol3/papers.cfm? abstract-id=1403723 (discussing such problems in the assessment and mitigation of climate change);
457. Douglas A. Kysar, It Might Have Been: Risk, Precaution, and Opportunity Costs (Cornell Law Sch. Legal Studies Research Paper Series, Research Paper No. 06-023, 2006), available at http://ssrn.com/abstract=927995 (discussing such problems in the context of cost-benefit analysis).
458. Farber, supra note 359, at 25 (quoting Roger A. Pielke, Jr. et al., Decision Making and the Future of Nature: Understanding and Using Predictions, in PREDICTION: SCIENCE, DECISION MAKING, AND THE FUTURE OF NATURE 361, 369 (Daniel Sarewitz et al. eds., 2000)).