Print this article | Return to Article | Return to

Chilling Thoughts

A new study compares companies here and abroad, and concludes that Sarbanes-Oxley appears to have put a damper on risk-taking by U.S. firms.
Scott Leibs, CFO Magazine
August 8, 2007

Risk, like luck, comes in two varieties: good and bad. The latter you hope to avoid, the former to capitalize on. Lately, however, there's been precious little capitalizing. Companies have been decidedly risk-averse for years, accumulating piles of cash and returning it to shareholders rather than investing it in new products or ventures.

Many critics of regulation have claimed that one reason for this uncharacteristic caution has been the "chilling effect" of the Sarbanes-Oxley Act. Now researchers at the University of Pittsburgh have put that theory to the test, and have concluded that it's true.

Or true-ish. Or maybe just a coincidence, but if so a big one. Leonce Bargeron, Kenneth Lehn, and Chad Zutter looked at companies in the United States and the UK and assessed them on both accounting variables (the levels and types of investments companies make) and stockbased variables (for example, returns, betas, and companyspecific risk measures). They also looked at data on initial public offerings for both countries in an effort to see whether Sarbox has, as many speculate, driven companies to pursue IPOs overseas, and whether the companies that do so tend to be more risk-based (as measured by their researchand- development expenditures).

Once the data was crunched on more than 5,000 firms (split about 80/20 between the United States and the UK), the team concluded that risk-taking by U.S. firms has declined significantly in the post-Sarbox era. "We can't nail it down to Sarbox," says Bargeron, an assistant professor of business administration at Pitt (and a former CFO). "In isolation, any of our measures could be taken issue with, but together they create a preponderance of evidence that is striking."

Meanwhile, Sarbox was intended to have a positive impact on negative risks, the kind companies hope to avoid, by encouraging a more rigorous assessment of high-risk areas including finance and technology. But a PricewaterhouseCoopers study has found that almost one in five companies conducts no annual risk assessment, while a third conduct multiple assessments but rarely share the results across departments.

"The cost of overseeing risk and compliance goes well beyond Sarbox," says Miles Everson, a PwC partner, "and often runs to hundreds of millions of dollars a year." Many companies have rushed to create new positions or departments in response to specific demands, creating huge duplication of effort. "When was the last time a newly created job title wasn't named after a regulation?" he asks. "You have privacy officers, compliance officers, and new audit positions proliferating." By adopting a formal governance, risk, and compliance (GRC) strategy, he says, companies can get faster efficiency — and free up employees to explore the strategic risks that companies should be pursuing.