As energy and momentum build toward a wave of deregulation across multiple business sectors, there is growing enthusiasm that loosening of rules will lead to a new era of robust business expansion in the United States. While I'll be the first to concede that too much regulation indeed can stifle economic growth, it is dangerous to conflate the benefits of deregulation with a lessening of risk.
Deregulation for deregulation's sake is a dangerous practice that overlooks the reasons why rules are adopted in the first place. It also ignores a history of repeated corporate overreach that has led to scandal, economic disruptions, volatility of investor confidence in capital markets, and the inevitable return of burdensome regulations.
Those who support major cuts in regulations can rightfully point to examples of the exorbitant cost of compliance. For example, a 2014 Federal Financial Analytics report noted the six largest U.S. banks by assets spent US$70.2 billion in 2013 on regulatory compliance, nearly double what they collectively spent in 2007.
One recent Vanity Fair article noted that of JP Morgan Chase and Co.'s 236,000 employees, 43,000 — or more than 18 percent of its workforce — are involved in compliance. The author of the article concluded: "[T]he job of nearly one out of every five people working on Wall Street these days is to watch what four other people do all day long."
With all due respect, this is the kind of sentiment that opens the door to irresponsible deregulation. Instead of characterizing regulatory compliance as part of the effort to control risk through accountability and transparency, it depicts it as a function of Big Brother.
It is alarming that many organizations are enthusiastically looking forward to regulations disappearing so that they won't have to spend the money to monitor and mitigate them. That short-sighted view ignores history.
Following WorldCom, Enron, and other scandals, Congress took action to put into place legislation over internal control over financial reporting. They recognized there were serious risks to capital markets and to erosion of confidence by investors in companies. No matter what course the current deregulatory fervor ultimately runs, the underlying risks that led to legislation and regulation will still be there.
Companies that carelessly or enthusiastically strip out the controls, stop monitoring, or stop spending money to ensure strong internal controls and risk management are headed for disaster. There is plenty of evidence that when companies are not well-controlled, when risks are not well-managed, calamity ensues.
Internal audit has two important roles to play here. It first must educate organizations about the risks that remain in areas where regulations are cut and provide assurance that internal controls will mitigate those risks. Second, it must support and encourage management, audit committees, and boards to balance the short-term financial benefits of deregulation with the long-term benefits of strong risk management. This was part of The IIA's message to members of Congress during my recent visit to Washington, D.C.
In a blog post earlier this year, I announced The IIA had established a beachhead in Washington, D.C., with the hiring of our first director of government relations. At the time, I noted:
Our presence in Washington is not about lobbying for the special interest of The IIA, or of the internal audit profession. It is about educating and creating awareness on the part of legislators, regulators, and others on the vital role internal audit plays in the effectiveness of corporate and government organizations. Rather than lobby for specific legislation, we are a voice for contemplation and reason when new legislation and regulation is proposed by others. We want well-intended legislators to consider the unintended downstream consequences of new legislation on risk management and internal controls.
Well-intended legislators also should consider the unintended consequences of deregulation. There is danger in signaling that the shackles are being taken off the capital markets without a companion message that organizations should remain committed to sound risk management.
As always, I look forward to your comments.