Legal scholarship has been silent about a phenomenon with profound implications for governance: the automation of compliance with laws mandating risk management. Regulations - from bank capitalization rules, to Sarbanes-Oxley’s provisions on financial fraud and misrepresentation, to laws governing information privacy protection - frequently require regulated firms to develop internal processes to identify, assess, and mitigate risk. To comply, firms have turned wholesale to technology systems and computational analytics that measure and predict corporate risk levels, and 'force' decisions accordingly. In total, the third-party market for compliance-technology products, known generally as “governance, risk and compliance” (GRC) software, systems and services, alone grew to $60 billion last year, and this growth is poised to increase exponentially.

While these technology systems offer powerful compliance tools, they also generate risks of their own. They permit computer programmers to interpret legal requirements; they mask the uncertainty of the very hazards with which policymakers are concerned; they skew decisionmaking through an 'automation bias' that privileges personal self-interest over sound judgment; and their lack of transparency thwarts oversight and accountability. These phenomena played a critical role in the recent financial crisis.

The full story is available at SSRN.com