28 September 2018

The allegations are not the issue, character is the issue

Yesterday I watched the Senate confirmation hearings for Judge Kavanaugh. I watched both his accuser's testimony and questioning, and his. I believe her. I don't believe him. But let us be very clear, there is not enough in the "she said, he said" for this to go to court. In addition, the desire to stall is a reasonable political manoeuvre. But that is not the issue.

The issue was what this exposed in the character of the nominee. What I saw yesterday was a political hack making the allegations part of a vast left-wing conspiracy by the Democrats to undermine the United States of Amerika. "Revenge" for the Clintons. Payback for the 2016 election. While the third might have, tangentially, a hint of truth, the first two are the work of a partisan and hateful mind, following in the Trumpian steps of telling the lie and keep telling the lie.

Kavanaugh demonstrated his character yesterday. He proved that he is not, and will not be a non-partisan judge on the highest court. He proved that his first question, even if only to himself, will be what political party is represented by either side in a case before the court, not the merits of the arguments from both sides in each case.

Yesterday we saw a Judge become a Republican Judge, who will ensure, regardless of the merits of any case, that the Republican position is upheld. 

It also became very clear, that this White Privilege Man will extract Revenge on those that called his name into question. He will place a lens of "left-wing conspiracy" over every case before him. And he will explain how he has been called by God to defend Amerika from the Clintons.

The man showed his character, and in so doing confirmed that the allegations did not matter. He will be a Supreme Court Judge, and Amerika will have taken another step toward the destruction of the Republic.

God Help Amerika, because the Trumpian Republicans will not.

20 September 2018

A Selection of Risk Management and Internal Audit Posts

Over the past year, I have posted a number of articles relating to Risk Management and/or Internal Audit. the objective of these has been to focus on the practical yet strategic, and not on individual risks or reporting standards. A selection of those articles includes:


  1. Strategic Audit or Strategic Auditing, and horror story
  2. Risk Geography and Waterfalls
  3. Delegations of Risk Authority
  4. Inherent and Residual Risk is Inadequate; What is the Appetite?
  5. What about your Target Risk?
  6. Single Points of Failure (SPOFs)
  7. Risk Quantification and Physics Envy
  8. Three Lines of Assurance
  9. Beyond Three Lines of Defence; Risk Management and Internal Audit
  10. After 22 years, InfoSec remains important
  11. The Importance of Emergency Lighting; a cautionary tale


Strategic Audit or Strategic Auditing. The ability to perform audits or strategy, or to perform strategic audits it a critical element of successful Internal Audit. The willingness and ability to report the findings and recommendations requires courage; something too often lacking. I provide a specific example, that I believe contributed to the fall of a very major financial services company.

In Risk Geography and Waterfalls I discuss a simple methodology to add to your suite of risk identification and assessment tools, and how the use of Waterfall diagrams can reduce the likelihood of missing important risks. We've used this to some success, and the direct linkage of risk identification to the critical income and expenses waterfall improves coverage. Bringing the right people to the table is facilitated by this methodology, further improving risk identification and assessment.

Delegations of Risk Authority: Too often we hear people say "We've accepted that risk" when what they really mean is "this is too hard; either I'm not able to explain it adequately, or I know remediation costs won't be approved, so I'm not going to try". Just as companies have Delegation of Financial Authority, so should there be a Delegation of Risk Authority. This article discusses this in more depth, and suggests are way forward.

Inherent and Residual Risk is Inadequate: What is the Appetite? Too often the practice of internal auditing, when performing risk assessments, looks at Inherent Risk (the level of risk before any remediation) and Residual Risk (the level of risk after remediation. This is inadequate and forgets one of the most important aspects of Risk: the Risk Appetite. Without understanding the agreed Risk Appetite, Internal Audit risks imposing its assumptions of what the Risk Appetite should be, not what Senior Management and the Board have agreed.

What about your Target Risk? following on from assessing the Inherent and Residual risk levels, if you do not know what your target risk level is, you will not know if your controls are effective, you will not know if the investment in remediation is appropriate, and most of all, you will not know when you have reached a level of control that meets the Risk Appetite of Senior Management and the Board.

Single Points of Failure:  While not a Risk Management or Internal Audit issue specifically, SPOFs (Single Points of Failure) are probably what will take the company down, at least for a short time. Yet these are also the area where you will probably see the most examples of "we've accepted that risk" from people with no authority to accept such risks.

Risk Quantification and Physics Envy: There is no question that the quantification of the potential negative (and positive) impact of the actualisation of a risk can help to clarify thinking, and support activities required to manage the risk. Yet quantification can also be a waste of time, and can be used to create rubbish results that mask as science. Poor quantification and simulation are easily as bad as or worse than poor subjective assessments.

Thr
ee Lines of Defence: The preferred model of various financial regulator and that has been embraced by the Insititute of Internal Audit, provides a sound framework, as long as we recognise that all lines of defence provide assurance. These two articles address the importance of Assurance from all three lines, and the linkage between Risk Management and Internal Audit.

Three Lines of Assurance:  It is time for a fundamental shift in the thinking about the concept of Three Lines of Defence and the value that Internal Audit and Risk Management deliver, and an equally fundamental shift in the role of management in the delivery of assurance and value creation. Over the past decade, the role of provider of assurance to the Board has been defined by the Internal Audit profession, and enshrined in the IIA's presentation of the Three Lines of Defence (TLD) model. That presentation of the TLD model and the associated assumption of who provides assurance undermines the responsibility of professionals across businesses, and presents an overt statement that management is not to be trusted. As such, it is time to review that model and introduce new thinking.

Beyond the Three Lines; Risk Management and Internal Audit: This article is focused on the relationship between two elements of the Three Lines; Risk Management (in theory 2nd line) and Internal Audit (the 3rd line). These two lines of defence provide Directors, the Board, shareholders and stakeholders with confidence that the system of internal controls is functioning effectively, that risks are being identified and managed, and where appropriate, accepted or assumed deliberately.

Meanwhile, some stories never get old, and those tend to be around the practical, head-shaking events that we remember, but that could well manifest themselves again.

22 years later, and InfoSec remains a problem. In fact, it is probably a much bigger problem. How to convince the IT Manager that he really needs to take security seriously? Sometimes it takes a practical lesson.

The importance of Emergency Lighting. Have you ever been in a situation where you were simply bumbstruck by the lack of thought that went into a potentially life threatening situation?


15 September 2018

Strategic Audit, Internal Audit's Five Legged Sheep

A little Strategic Audit horror story.

One special treat as a long-term Risk Manager and former Internal Auditor is to see the "latest" slide showing the "Auditor of the Past" and the "Auditor of the Future". I enjoy looking to see if the slide has changed in any material way from the same version twenty years ago. Sadly the slides never change, which either means we have still to reach the future, or that anyone who has been in the industry long enough recognises aspiration in the face of reality. I also like to see some of the perennial entries for the "future":



  • Auditing Strategy (or being a Strategic Auditor),
  • Greater use of technology, and
  • Being a pro-active communicator

Of course the list goes on, but for now, I want to focus on only one of these: Auditing Strategy or being the Strategic Auditor.

The total list is laudable and always has been. The list is also, primarily, a recognition of the capabilities and facets of the people in Internal Audit, our expectations of those people even knowing who and what we have put into those positions, and the value (and price) that the Executive and the Audit Committee are willing to pay for those skills.


Internal Audit is overhead, and overhead is something that is always on the block. But this particular overhead can lead to problems if it is not effectively managed. As an overhead, the desire is constantly to maintain or reduce the cost of the function, to reach that nirvana of low-cost, high-impact internal auditing. Sometimes this is achieved by seconding people from within the business into Internal Audit for a period of time, before returning them, up-skilled, to the business. Sometimes this is achieved by simply hiring cheap and young, all the while expecting professional depth, industry knowledge, and maturity in communication - both written and verbal.


Strategic Audit

We must recognise that to audit strategy, one must be a strategic thinker and must have a depth of profession and industry knowledge, and yes, enough years to understand trends and five (and longer) year business plans and decade-long business cycles. Auditing strategy requires direct experience with strategic planning and the business' own strategic plan, as agreed by the Board of Directors. It also requires a depth of understanding of markets, product lifecycles, customer expectations and potential market entry and exit obstacles.

Mostly, the Strategic Auditor must have the courage to ask Strategic Questions, not just questions about strategy and the strategy process, and the courage to communicate unwelcome messages.

The expression in France is that we are looking for the "five-legged sheep".


Reviewing Internal Audit - where's the Strategic Audit?

I remember performing the EQA (External Quality Assurance) review of the Internal Audit department of a large financial services company. Was Internal Audit complying with the "International Standards for the Professional Practice of Internal Auditing"?


I reviewed their plans (departmental and individual audit), the communications with the Audit Committee, individual audit reports, and walked through sample internal audits from the planning to reporting and follow-up. Their methodologies were sound, and from a compliance with the Institute of Infernal Auditors standards, they were mostly in compliance. To all appearances, this was an effective Internal Audit function.


But there was something about the function that worried me. I even remarked to a colleague that this was a fantastic 1990s Internal Audit Department (this was in late 2011). 

Eventually, I figured out what was making me so uncomfortable; There was no "Strategic Audit" concept in their plans, mission or actual programme. Financial Audit focused on the financial processes and statements, while Risk Management Audit looked at trading systems and trading activity in detail, or as much detail as they could. IT Audit was well staffed, as should be expected for a financial services firm, especially one with "over 100 trading platforms".

Wait, did I just say "over 100 trading platforms"?

This financial services business had grown through acquisition, and actually performed and delivered services through the common company and through a network of purchased but poorly if at all integrated companies. While every trade and every transaction was performed by the core company, actual trades were taking place across a plethora of independent systems, each with its own internal control environment, technology, and support services.

Internal Audit knew this, of course, and could show me how they would, through a multi-year Internal Audit Programme, reach all the of the medium to high-risk units during every three-year cycle. And the audit reports demonstrated that while individual units reviewed did have some issues, on the whole, they were not finding significant control system breakdowns.

Yet the company was also going through difficult times, as had all financial services companies in the years after the Global Financial Crisis, and cost-cutting was an ongoing strategic imperative.

The CAE Speaks

Finally, I was able to interview the CAE, the Chief Audit Executive. We talked through what I had seen so far, my impression on the effectiveness of Internal Audit, and what my findings and report might look like. Where, he asked me, did I think there could be reductions in the Internal Audit department to gain headcount and cost savings?


I countered that what appeared to be missing from his team was a Strategic Audit function, and any Strategic Auditors.  Who was performing the strategy and strategic level reviews, for example, a review of trading platform strategy and the risks associated with having so many trading platforms? This was not in the plan, he told me, because he didn't have the resources to undertake such a review, and besides, he didn't expect that the results would be of interest to the Board.


I told him that I was very concerned that there were so many trading platforms, in an environment of cost-cutting and headcount reductions, that the overall level of risk would increase significantly. After all, if there were one or two (or ten) trading platforms, then his audit resources could focus on that more limited number of control environments. Further, cost reductions could only lead to a greater risk of controls being ignored or bypassed within the individual trading units. Wouldn't he expect to take a report to the Audit Committee suggesting a consolidation of systems?


His response was that such a recommendation would carry costs that would be beyond what the Audit Committee or the Board would want to hear at this time, and that after all, a greater number of trading platforms meant that their risk was diversified.


His Strategy was to avoid conflict, and he already knew that such a set of recommendations would only bring him into conflict with a Chief Executive and Board that were determined to drive down costs at any price. 


My conclusions (from the EQA)


It was now clear that the interview and discussion were over. I was to provide a report on their processes and procedures as aligned to and with the Institute of Infernal Auditors Professional Standards. Indeed that is what I provided.


Certainly, there were a few areas where they needed some attention, but so much seemed to be best (or good at least) practice.


Certainly, the customer satisfaction processes could have been improved. Likewise their budgeting per audit and communication of cost/value to the auditees and management. For a financial services enterprise, there was an unfortunate lack of effective automated and continuous testing, and it was recommended that the IT Audit unit look to introduce such processes.  


Going a little further, I also recommended that they should be linking their audit plan and programme to the risks included in the MD&A (Management Discussion and Analysis) section of their annual SEC 10K regulatory report.


But without the Strategic Audit capability, and the willingness of the CAE to bring difficult reports and recommendations to the Audit Committee and the Board, it was my belief that the function was inadequate. Of course, we were not allowed to say that, so we didn't. It never made it into the report.


Aftermath, and a slight problem


The EQA report was delivered and discussed. The findings were agreed, and promises were made to implement almost all of the recommendations. Some were disputed, as is to be expected. There was no discussion of the need for a Strategic Audit unit. That was not to go in the report.


So everyone was "satisfied", and the invoice was promptly dispatched.


If you look back to 2011, you'll see that one of the top-10 bankruptcies took place that month. Needless to say, our invoice was never paid.


Did the wide range of trading systems lead to their collapse? Not directly. Was it a symptom of a company in which effective internal control and a strategic outlook (especially from their Internal Auditors) was missing? I would suggest so. The inability or unwillingness to deliver hard truths and to speak strategic risk can damn an internal audit function and can have lasting damage to the company.


My Conclusions about Strategic Audit


I said at the beginning that Strategic Audit or Auditing Strategy requires knowledge and experience, and a strategic mind. It also takes courage. The courage to look at the strategic situation of the company and its market position, future plans and where it came from. 


Also to look strategically at the leadership and Director team, and communicate clearly (and frequently privately) what you are seeing, and why it makes you, the Internal Auditor, uncomfortable, and why that should make the Executive or Director uncomfortable.


Strategic Auditing takes courage. And what I've learned, though this particular series of events and others in small and medium-sized companies, that the courage is not common in Internal Auditors. Not as common as the profession, and their employers, need.


The fifth, and too frequently missing leg of the Internal Audit sheep is Courage. Most frequently, the courage to not be a sheep.


13 September 2018

Focusing on SPOFs is never a WOFTAM

If there is one thing I really enjoy, it is having fun with acronyms. I did make one and tried to get people to use it but to no avail. I think it was an example of self-WOFTAM (defined later). But as this is not a blog about fun with language, but more about Risk Management and other Random Comments, I'd like to talk about SPOFs.

SPOFs are closely related to that other topic I have covered, the Delegations of Risk Authority, if only because so frequently when someone says "we've accepted that risk", you can be there is a SPOF in there that they simply unable to justify correcting, that they do not know how to correct, or that they have had too much push-back to keep trying to solve.

Too often there are invisible Single Points of Failure (SPOFs) across an environment. These naturally occur due to the constant changing of configurations, slowly introduced incompatibilities, and sometimes (too often) by short-cuts built into environments to keep the cost of the application to within the level of spending that was thought to be acceptable.

The following tale is, in principle and flow, a true tale.

I sat with the Systems Architects and looked at the environment diagram they gave me, and asked them to explain how systems and applications were reached by our users, and how a critical outage could have lasted so long (almost a week). The conversation when something like:

"Well, the application is on this server, and since the users are in this building, we keep that server in the network room in the same building."
Good so far.
Okay, where is the alternate server or backup system?
"We have a backup server in the network room in the other building."
Even better.
What happens if this server room should go down - that's never happened, has it.
Sideways looks from person to person.
"Well, it did go down last year."
And?
"We brought it back up."
Okay. How long was the system down?
"About a week. No, four days. We're pretty proud of that, it was only four days, and the users were able to keep working off-line during that time."
Weren't these users customer facing?

"Only some of them and they were able to take details on paper and ring the customers back. After the system came back."

SPOFs

It turned out that there was not one, but a number of Single Points of Failure (SPOFs) across the architecture, each waiting for that wonderful moment to manifest.

First, the primary server was in one location, and the backup server was in another. Backups were taken every night, and then transported to the backup site. Tapes were cycled between the sites. All pretty standard (and now replaced by a link for online backup to a remote backup device), except that recovery on the backup server to the copy of the application had not been tested.

So why wasn't the application just brought back up on the alternate server?

SPOF number two. Well, now it gets interesting. The primary server had a physical fault that required the replacement of physical kit, and the backup application was loaded on a server which acted as the primary server for an application with a different operating system release level and patch history, and therefore did not have a compatible operating system configuration. The "backup server" had not been updated, and was missing key licenses for underlying software required by the application.

The first attempt to bring the backup server into production failed because the underlying operating system and supporting software were not up to date. That took a couple of days to correct, with a rebuild of the backup server, while ensuring compatibility with the primary application on that server. Meanwhile, the primary service was being worked on by the engineers, who, on the recovery of the server, discovered that the network connections to the alternative site would not allow a pass-through for the users.

The list of SPOFs in this situation continued to grow, each needing to be worked through or around.

SPOF number three. The lack of adequate bandwidth required building a new set of IP pipes that would enable authorised users to access the back from their primary location, without opening the application to access from any IP address. While not difficult, it was time-consuming.

Further adding to the problem was that as each SPOF was worked around, the primary objective of recovering the application meant that the SPOFs were mentally abandoned. Maybe one day we will go back and look at them again, but for now, our only priority is system recovery.

This was a wake-up call. A string of SPOFs had almost crippled a key element of the business.

What next?

The identification of SPOFs is not easy, and is a project in itself. In addition and from experience, once all SPOFs have been identified, the probability is that only 80% have actually been found. For months after, expect someone to come to the project team or lead and say "Um, I think we might have found another".

The list of SPOFs then needs to be reviewed, ideally by a combination of the technical people, architects and with input from users (for confirmation of criticality), for:

  • Completeness,
  • Criticality,
  • Likelihood,
  • Cost of remediation, and
  • Interdependence (caused by or contributing to another SPOF).

From this, a plan for remediation can be developed. Bearing in mind that such plans should start with remediation of the most critical and the most interdependent SPOFs. Eventually, the cost against remediation benefit break-point will be reached. However, it is not the role of the technical team to determine that cutoff. The cost of remediation needs to be determined, and a multi-phase and costed project plan developed. Multiple scenarios of levels of remediation at various price points should be provided so that those who have the authority to approve spend and the authority to accept a level of residual risk have the information that they need for decision-making.

Too often I've seen the "we've accepted that risk" type of response when considering specific SPOFs or elements of the plan. It is not the role of the technical team to accept those risks, but to communicate the risk and the cost of remediation to those with authority to accept that residual risk.

A note on cost.

It is almost impossible to remove all SPOFs. First, the costs become higher than the potential cost of a resulting event caused by a SPOF. Second, there are many SPOFs that, through analysis, will be seen to be of such low possibility that the cost of remediation will probably far outweigh the cost of a mad-scramble to resolve the situation should that SPOF eventuate.

Special consideration should be given to the high cost (for marginal return) and long time frame for remediating SPOFs. For the higher cost elements, it might be reasonable to identify human and process workarounds in the event of the failure of that specific SPOF. For longer duration remediation elements, additional consideration should be given beyond a simple cost/benefit.

For example, high capacity network links can take some weeks to be installed, and the lack of such links can turn a simple recover effort into a Business Continuity and Disaster Recovery exercise.

Finally, the Future.

Even when the SPOF remediation plan has been approved, work has taken place, new equipment installed and tested, and the project has reported back to the steering committee that the project has accomplished its objects, within budget and within time (no comment), the management of SPOFs is not done.

As mentioned above, systems and environments evolve. It will not take long for divergences in system configurations to creep in, for levels of installed software to become out of synch between production and backup, or for model office environments to slip out of synch with the production environments that they are meant to replicate.

A SPOF review on an annual basis will not be a WOFTAM, and will identify new SPOFs, or may result in a reassessment of the importance of a SPOF that was previously accepted.


(WOFTAM: "Waste of F*** Time And Money" - do feel free to use that, as it is one acronym that I've found myself muttering under my breath for years. Oh, and there is no copyright on it.)



11 September 2018

9/11 and Amerika is doing what?

Today is 9/11, the day that we commemorate those killed by those we supported and support to this day. After the horrible events of 9/11, never forget became an Amerikan phrase as well. And we do not forget. Four aeroplanes, 19 hijackers, the Twin Towers destroyed and the Pentagon hit, and one flight into a field after the passengers fought back. Eventually, Osama Bin Laden was killed, but before that, the Taliban government of Afghanistan was overthrown.

Yet all that Amerika is doing now is only encouraging those that perpetrated the attacks, expanding the range of people willing to carry out attacks, all the while backing away from real friends.

Have we forgotten what created the condition that allowed 9/11 to happen? Have we forgotten who actually did this? Meddling in the Middle East for decades, blindly supporting Israel and Saudi Arabia, no matter what they chose to do. 

Why is the US supporting the bombing of Yemen?

Why is the US supporting radical Islamist forces in Syria (and before that, in Iraq)?

Why is the Amerikan president saying that Canada is an enemy? The very people who gave so much support at all levels on 9/1. The country that went into closed parliamentary session for the only time in their history to help the US during the hostage crisis in Iran in 1980, is an enemy? What madness has consumed him and his followers?

15 of the 19 hijackers were Saudi Arabian citizens. None from Yemen. None from Syria. None from Iran. The Saudi Arabian intelligence services had contact with some of the hijackers when they were in the US preparing.

But the US invaded Iraq, and are helping to bomb Yemen (neither involved). The US, with the French and the British,  helped overthrow Quadaffi in Libya (that certainly helped make friends).

But the US of Amerika is banning people from Libya, Syria, Yemen, Iran, Somalia, oh, and just make it not be a "Muslim ban", people are also banned if they come from Venezuela and North Korea.

Travellers are not banned from Saudi Arabia (15 of the 19 hijackers), UAE (2/19), Egypt (1/19) or Lebanon (1/19).

Now I am NOT suggesting that Arabs or Muslims are terrorists. they are not. Not even a tiny minority. Yes, an extreme minority of extremists, just as in all religions. 

Let's be very clear, if we actually wanted to ban terrorists, we would not allow southern white men and gun owners more generally to travel to the US, but as they already live there (and are citizens, though that didn't really matter in the case of a latino Muslim Amerikan citizen who was arrested in the US and thrown in a military brig in the US, as an enemy combatant), there really is nothing we can do about them.

I am NOT suggesting that the US of Amerika has gone mad, I am saying that Amerika has gone mad. And while the community will allow the madman some leaway, eventually the madman will be expelled from the village. I think we are getting closer to expulsion by the day. 

At least Amerika will be able to take solace from its close friends. Oh, wait...



06 September 2018

Is the Baltic Dry Canary telling us something?

The US economy continues to grow at a cracking pace, or so we are told again and again. Unemployment is down to record lows, and the stock market is back to record highs. Corporate profits are at record highs, and the (US) economy grew at 4.2% in the second quarter of 2018. Europe continues to grow, at least that is the message, Brexit or not. Not one month ago, the Baltic Exchange Dry Index (BDIY), a key measure of the cost of transport and a bellwether of international trade volumes, was at an annual high of $1774.

Is there anything to suggest that all is not well?

Officially, all is good in Economy-Land. Unless you are in the Emerging Markets (EM) where all is going to hell in a handcart. And if you do watch the BDIY as I suggested last month, you may have reason to worry.


https://www.bloomberg.com/quote/BDIY:IND

Years of Growth Ahead?

Some time ago (18 August 2017) I asked if the collapse of the employment participation rate during and after the Great Recession of 2008 had actually set the US up for years of economic growth as ejected labour re-entered the market, creating a multi-year pool of “new” labor. Was the unemployment rate artificially low due to the definitions used to define “unemployed”, and was there, in fact, a giant pool of untapped labour just waiting to be absorbed?

Certainly, European economies have had a chronic underemployment problem for the past twenty years, so there should be no shortage of labour, unless your production is in Germany (a problem that was supposed to be solved through the importation of millions of ‘refugee’ migrants to provide the new working underclass). 

Or black Swans a swimming?

Or, as I pointed out last month (6 August 2018) are there too many Black Swans flocking, ready for the first to set off a global contagion? Some are pointing to the ongoing EM route and collapse of so many international currencies (Turkish Lira, Argentine Peso to name two) as the “Black Swan de jour” that may cause contagion in developed markets. Are the US markets being kept artificially buoyant with cash fleeing EM countries? 

Or, are tariffs actually beginning to impact? Or, the EM route simply an indicator of the level of international uncertainty, with tariffs being one re-enforcing element?

If tariffs and the EM markets are all part of the same flock of Black Swans, then we should be able to see the rot in international trade. 

On the 6th of August I wrote:
"We need to keep watching indicators from around the world, and look for specific activities. The Baltic Dry Index provides a good indicator for us to watch. In the past moths, the Index has risen from $1250 to over $1700 now. The Baltic Dry Index provides a reliable surrogate for global trade volatility, with higher trade volumes increasing the cost of freight, and falling freight volumes driving down the BDIY."
And so I have been watching the Baltic Dry Index, and it has not been pretty. In the month since I wrote the above, the BDIY has fallen from an annual high of $1774 down to $1477 today (6 September 2018), representing a 16% fall in that month.

As a reminder, the BDIY is a measure of the cost of freight, and as such is an indicator of volumes of international trade in terms of shipping. It is reasonable to expect the BDIY to rise and fall over time due to total shipping capacity, with fleets expanding too quickly for anticipated growth in trade resulting in a slowly lowering BDIY, and fleets falling as uneconomic ships are retired from the fleets and scrapped resulting a slowly gaining BDIY. But that is for the long-term trend line only.

What we have seen this year is the BDIY increase significantly in the second quarter, just as tariffs were being mooted, but before they were actually brought into force. As I speculated in early August, the robust second-quarter GDP print could have been a factor of forward-purchasing and inventory padding to ride-out any transitory tariff impact. If that were the case, I suggested that we would see a fall in trade volumes in the third quarter, with the BDIY providing an early warning sign of such a fall in trade.

We are now seeing that fall, and while one month and a 16% fall could be a transitory fluctuation, it could also be an indicator that trade volumes are being hit, and we should expect a must worse third quarter GDP print.

If the BDIY continues to fall, it will be the clearest sign yet that the tariffs are biting, and that trade volumes are indeed falling.

Even as the BDIY was increasing through July, the Netherlands Bureau for Economic Policy Analysis was reporting that global trade volumes fell in June (I await the July figures).

As I said in early August, I will continue to watch the BDIY, as this may be one of our best canaries in the global trade coal mine.

The mob is spent, the counter-revolution will now begin

This week may go down in history as the end of the Trump presidency.

The core of Trump’s presidency has been the unwavering support of the Republican Party, and the fear within the elected cadre of Senators that any wavering of support will see the president turn on them. This week may change that.

This presidency is not a presidency of the “far right” or of any known political spectrum. It is the presidency of the disaffected who have been ignored for decades, and have watched industries die, jobs disappear, minorities appear to prosper, and most importantly, they’ve watched the corporations and the wealthy grow in power and wealth to their detriment. This presidency was the presidency of the revolution.

Of course, like all revolutions, those how had the power in the revolution represented those that knew how to mobilize and bamboozle the masses, not the masses themselves. People who carry swords and command soldiers, be they corporate lawyers or musket wielding infantry, are not the people whose only weapons are the pitchfork and the torch. The mob is lead, not by the poor and the downtrodden, but by the rich and conniving.

This is the presidency of the rich, the revolution commanded by the rich, to protect their wealth through a mobilized and manipulated mob. 

Ultimately, however, the mob realizes that they have been had. They realize that those who lead them were their exploiters from the very beginning. Will be mob turn on the leaders of the revolution?

Sitting in Congress and the Senate right now are those who saw the revolution, feared that the mob would come for them, and aligned themselves with the “leaders” of the mob. They played the game for decades, and they have become rich and powerful off the exploitation of the system and most importantly the exploitation of those who elected them.  

And for the first year and a half of this presidency, it appeared the mob could be controlled, and as long as they publically aligned themselves with the revolution and the President, they believed they could ride out the storm.

Now, this week, it has become clear that those closest to the President fully understood the bargain they made – power and security in exchange for supporting the leader of the mob. Fear and Anonymous have pulled back the curtain, and shown us all three things.


  • We see clearly that craven sycophancy is the only way to survive in the White House, even when you took an oath to uphold the Constitution. Stealing documents off the President’s desk so that he will not sign them, all the while writing the documents he wants in the first place, shows the lengths that his minions will go to try to curb the worst. They promise that they are trying to protect the country, while at the same time protect themselves.
  • If anyone doubted that the President is unfit, then this week has proven beyond doubt that not only is he unfit for office, but that he is a danger to the United States. Did we really need to see him prove his ignorance by not being able to color the flag he tells us all to honor?
  • We have also seen a White House that is in open rebellion against the leader of the mob, and the mob is now seeing clearly that they have been duped. They cannot bring themselves to say that the revolution was unjust, and they will continue with the pitchforks and torches until their bloodlust has been sated. But that is going to take heads in baskets in the Place de Republic, and the heads will be those of the revolution who failed the mob.


This is what was shown so clearly this week. And this is why this week will be seen as the end of the Trump presidency. 

In Senate office, and in Senators’ kitchens and constituency offices, the conversation today is about the lasting damage that will be or has been, done to their names and prospects for the future. They know that when Trump falls, and fall he will, their support for him will earn them a one-way ticket to the guillotine. They now are faced with the calculation; how much longer must I hold the line, before I have held it too long?

They are all asking themselves "When this is all done, how will I be able to protect my reputation in years to come? Will I be able to remove the stain?"

They know that when Trump is gone, their support for Trump will remain on their record for the next twenty to thirty years. So how much longer must the support Trump, and yet still have time to repair reputations by saying that they too were duped by the leader of the mob?

Not all Republican Senators support Trump, but they do support the party and they do, more than anything, support their own grasp on power and the associated access to wealth and protection. But when the mob is in the street marching toward you, pitchforks in hand and torches burning, it is safer to pull out your sword and show the mob how much you support them.

But once the mob has calmed, and you have survived, there will be a time when you, holder of the sword, will turn on the leaders of the mob, and purge the mob. You with the power will ensure that this threat to your power cannot happen again.

This week will be seen as the time that those with the swords started, publically, to turn on the mob, and to reassert control.

So this week, next maybe, we will see the first Republican Senators overtly turning on Trump, out of greater fear of being guillotined by the counter-revolution than by any residual fear of the leader of the mob.

The mob is spent, and their leader sounds desperate.

The counter-revolution has begun.