1. Assessing Dodd-Frank’s Impact on Security & Risk Analysis: Conflicts, Controls & Transparency John W. Bagby, Professor of IST Pennsylvania State University

2. Statement of the Problem Risk Assessment is Largely Unregulated – Exception: ISO 31,000 a “family” of industry standards Some Significant but Narrow Exceptions: – E.g., Nuclear Power, FDAs Drug/Device Trials (NDA), SOX §404 Top Down Risk Assessment (PCAOB & SEC) Several Recent & Spectacular Regulatory Failures – Permitted Significant Societal Hazards – Financial Engineering & Innovation – Food & Drug Safety – Petroleum Exploration & Production – Complex Computer-Controlled Vehicle Designs Regulatory Failure Due to Failed Risk Assessment

3. Government Regulation, Acting Alone, Cannot Control Systemic Risk Traditional Financial Risk Management has only 3 narrow foci: 1. Hedging Financial Risks 2. Insurance Markets & Insurance Industry Practice 3. Actuary Systemic Financial Risk Largely Left to the FRB Fragmentation of Financial Risk Management Contributed Significantly to 2008 Financial Crisis – Federal Functional Regulators: Fed, Comptroller, FDIC, OTS, NCUAB, SEC, CFTC, states

4. Composition of Incentives for Risk Analysis: a Layered Institutional Structure 1. Market Disciplines: capital, product, factor 2. Social Responsibility: Voluntary 3. Industry (Best) Practice 4. Industry Standards 1. Independent Conformity Assessment (e.g., audit, credit rating) 5. Self-Regulation 6. State Regulation 7. Federal Regulation 8. State Tort Liability 9. Federal Tort Liability 10. State Criminal Liability 11. Federal Criminal Liability

5. Impacts of Layered Institutional Structure THE Conundrum: – Robust Risk Analysis Attenuates Risk Taking Cons: – Redundancies Constrain Liberty – Stifles Innovation & Competitiveness – Seemingly Duplicative & Complex – Potentially More Costly Compliance for Regulated Entities – Inefficient use of Societal Resources Pros: – Checks & Balances have Proven Value – Redundancies are Typical in Complex Systems with High Potential Costs of Failure – Failure of Control Produces Pressure for Regulatory Complexity

6. Financial Risk Control Institutions Market Forces Financial Analysts’ Reports Ratings Agencies Internal Control External Audit Board Oversight Fragmented Financial Regs (Fed Funct’l, state) Congressional Watchdog Comms, OIG, GAO

7. The Regulatory Failure Hypothesis Largely Undefined & of Recent Vintage – ‘08 Financial Crisis, Moncando well blowout, FDA, NHTSA Considerable Related Roots – W. Wilson, New Freedom… (’14) – G. Stigler, Theory Economic Regulation … (‘71) – S. Breyer, Analyzing Regulatory Failure … (’79) – F. Hayek, Fatal Conceit …(’88) Range of Outcomes – Trivial Bumbling to Catastrophic Failure – Public (over-)Reliance Trusting in Regulatory Perfection then Disaffection

8. Causes of Regulatory Failure Regulator Incompetence Regulatory Capture Regulatory Programs Frequently Suffer Political Compromise Implemented as: – Compromised Regulatory Program Funding – Insufficient Statutory Authorization – Clandestine Deregulation Regulation is Decidedly Ex Post – Liberty & Laissez Faire Relegate Regulatory Solutions to Remediate Past Misconduct or Catastrophic Failure – Planned Economies Generally Fail to Incite Innovation & Prosperity Regulatory Costs Impose Undue Burden on Growth

9. The Seeds: Recent Regulatory Heritage GLB – Universal Banking Frustrates Risk Isolation by Compartmentalization – Strict Prudential Activities Abandon in Favor of Promised Returns from Financial Innovation SOX – PCAOB, Auditor Independence, Conflicts, Disclosure Responsibility (§302) & Controls Assessment (§404) OTC (exoitic) Derivatives De/Non Regulation – Regul.Capture, Conflicts, Risk Disregard

10. Inspiration for the SEC’s Pre-Emptive Attempt to Expand Boards’ Risk Duties

11. SEC’s Response pre-DoddFrank 33-9089 Proxy Disclosure Enhancements 12.09 – FY ending after 2009 & proxy solicitations after 2.28.10 Firms must now Disclose Board’s Role as: Risk Oversight Must Discuss & Analyze: – Links: how risk management addresses risks from compensation policies & practices – Threshold: if reasonably likely to have “material adverse effect” Prediction: Will Expand Enterprise Risk Management (ERM)

12. Dodd-Frank: HR.4173 & S.3217 848 page long, complex & “taxonomy challenged” – Systemic Risk – Capital Markets Hedge Funds & Private Equity Swap Dealers & Major Swap Participants Derivatives & Securitization – Financial Institutions Insurance Industry Nonbank Financial Company Minimum Capital, Margin, Recordkeeping and Disclosure Proprietary Trading – Consumer Protection & Mortgage Markets (retail, wholesale) – Corporate Governance & Executive Compensation – Misc. Congo “Conflict Minerals” (gold, tin, tungsten) Alt: Conflicts, Controls & Transparency

13. DoddFrank Conflicts “Skin in the Game” credit risk retention Whistleblower Bounties enhanced (SEC) Compensation Consultants & Committee Independence Volcker Rule (Insured Institution Proprietary Trading Credit Rating Agencies

14. DoddFrank Controls New Regulators & Regulatory Powers – Financial Stability Oversight Council (FSOC) – Bureau of Consumer Financial Protection (BCFP) – All Federal Functional Regulators Compensation – Comp. Committees & Consulting Contracts – Exec & Golden Para “Say-on-Pay” (non-binding) – Clawback Risk Committees for Non-Banks Orderly Insolvency Resolution “2 big 2 fail” Derivatives Markets Mechanisms (Swap Dealers & Participants, Clearance, Market Mechanisms)

15. DoddFrank Transparency Disclosure of Golden Parachutes (merger compensation) Acquisition Disclosure Timetables Shortened Executive (Trader) Compensation Disclosures Asset Backed Security (asset & loan levels) Derivatives Markets Transparency

16. Will Political Forces Move To Produce Yet Another Regulatory Failure? Political Losses – Society’s Laser Focus on the Perverse Incentives of over- Compensation – Lobbying Must now Shift to “Soften” Regulations Political Wins – Only Gentle Constraints on Ratings Agencies? – Tough Regulators Still too Fragmented & Dispersed What Lies Ahead? Weakening DoddFrank – Est: 800 new SEC Staff needed to Enforce DoddFrank – De-Fund CFTC & SEC: Budget Woes Argued to Justify – Slow Funding of Comprehensive Studies Restrains Rule Changes (see Davis Polk )

17. Tentative Findings: Expand & Reinforce Effective Risk Awareness Mechanisms – DoddFrank Expands Risk Assessment: Conflicts, Controls, Transparency – VCSB Standards AICPA Risk Assessment Standards for Financials SAS 104, (amends SAS 1) SAS 106, Audit Evidence SAS 107, Audit Risk and Materiality in Conducting an Audit SAS 108, Planning and Supervision SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SAS 111, Amendment to SAS 39, Audit Sampling FDA’s NDA Model: Shift Some of the Burden of Proof from – Risk Averse to Prove Risk Magnitude Ex Post Calamity to – Risk Takers Ex Ante Show Reasonability of New Approaches