Global financial markets have suffered many big crises over the years, but this Summer’s liquidity crisis has shocked the banking community like nothing before. Financial institutions have uncovered losses that could reach $50 billion.

Disasters on this scale mean that something must be done, people must be blamed. Lenders are already tightening the purse strings, legislators too are sharpening their pencils. In the US, subprime lenders may be forced to register their loans, calculate their risks more transparently. Credit rating agencies may be forced to divulge conflicts of interest.

Meanwhile, doubts are already being raised over one proposed mechanism for quantifying risks. Basel II, a European banking accord, is designed to enable banks to take a more flexible, risk-based approach to calculating their capital requirements. But it not only uses financial models that fail to fully take into account the risks involved in complex financial instruments, it gives the credit ratings agencies – who so obviously failed in their duties this Summer – a central role in assessing the banks’ risks. Basel II is only just being finalised, but may need extensive revisions.

There is a big IT angle to all this: whenever regulators attempt to build in processes and systems that anticipate or prevent scandals and disasters, they not only create a huge opportunity for IT suppliers, who provide the necessary software and services, but they put a huge burden on IT and finance departments.

Furthermore, eliminating risk is like squeezing a balloon. Regulators may move it, reduce it, and they will almost certainly make the whole thing more complicated, but they won’t solve it.

So here is a cautionary tale – the story of Sarbanes-Oxley (SOX), a law that has hugely benefited the IT industry, deeply troubled financial officers and CIOs, made executive corporate life extremely difficult, but has had few or no proven benefits.

When President George Bush signed Sox into law in July 2002, the times demanded tough actions. Stock markets had plummeted from their 2000 peaks, and 9/11 had further shaken confidence. Meanwhile, people like Kenneth Lay and Jeff Skilling of Enron, and Bernie Ebbers of Worldcom – people who had apparently lied to Wall Street and perpetrated massive frauds – were proclaiming their innocence. Their excuses: they had not known what was going on, or they didn’t know the law, or they were just following common practice.

SOX was designed to stop such executive wriggling. The law demanded rigorous reporting systems be put in place that would make it impossible for executives to ever deny that they knew what was going on and had understood and approved the company reports – on pain of criminal prosecution.

SOX put the wind up the executives, but it was a huge windfall to IT suppliers. CIOs were given a licence to invest, and invest they did. From archiving systems to business intelligence systems; applications to track the new processes; search and content management systems; security systems to ensure access to documents is tracked and controlled.

All in all, by the end of 2008, companies will have cumulatively spent $32.3 billion on SOX compliance, says analyst group AMR. Almost $24 billion of that will have been in people and consulting services, with a further $8.6 billion going on the technology. 

What has it achieved? Certainly, processes have improved, governance is better. But while giant multinationals have swallowed the cost, smaller companies have had to spend over 1% of revenues on SOX.

US markets have suffered: SOX is so strict, that many companies say it is too onerous to list in the US. Some entrepreneurs have abandoned the dream of going public, preferring to look for trade buyers. Meanwhile, funding has poured into private equity groups, which are far less accountable. So SOX has helped the risk to move – it is now hidden in less accountable funds. Many executives say SOX is reducing risk taking and putting too much IT overhead into management processes. Executives demand more pay to compensate for the extra risks. It is no wonder there is constant talk of repeal or reform.

And the scandals haven’t disappeared – look at Conrad Black at Hollinger, Sanjay Kumar at Computer Associates, and the 200 companies investigated for illegally back-dating stock options.

None of this is an argument against legislation to protect consumers or fund holders. But it is a cautionary tale: business is a creative, risk-taking activity, not just a vast collection of processes. IT is usually associated with improving efficiency, but over-complex IT, like over-protective or reactive laws, will not help business or the consumer.