29 July 2019

Saving the SEC’s XBRL Program

Some years ago I promised myself that I would not write about XBRL again. I’m breaking that promise. eXtensible Business Reporting Language was a major conceptual breakthrough when it was first developed in 1998. But that was over 20 years ago, and XBRL has progressed little beyond a regulator-demanded user-unfriendly standard with little (voluntary) uptake by report producers, and less evidence that anyone actually consumer and uses native XBRL. There are financial analysts in university (and possibly beyond) who were not born when XBRL was developed. 

At the heart of displeasure with the SEC’s XBRL program at the core of XBRL, the “eXtensible” concept, or as the XBRL community liked to sell the concept, “tell your story, your way”. Thankfully there is a “simple” fix that will save the SEC’s XBRL program, save filers time and money, enable to (almost) pain-free expansion of the program, and increase the likelihood of uptake by consumers of financial information.

Unfortunately, the complexity of XBRL has been a problem from day one. My all-time favourite condemnation of XBRL goes all the way back to 2008 when someone said that XBRL was “using a dinosaur to crack a walnut”.

But first some background:

There are uses for XBRL and XBRL-type reporting technology, but if you are considering going down that route, beware.

The idea was simple; each piece of information in a financial statement/report could be tagged in such a way as to enable the machine to machine communication of financial and business information. The use of a common taxonomy of elements ensured that a piece of data (a “fact”) tagged would mean the same thing to any consumer of that piece of data. Anyone producing financial or business data that was to be shared would be able to ensure that the consumers of that data would know exactly what they were consuming.

Soon, the FDIC (Federal Deposit Insurance Corporation), the US banking regulator, had incorporated XBRL into the Call Report process, ensuring as early as 2004 that all reporting banks in the United States were reporting using a common taxonomy.

All “successful” XBRL implementations share one key factor; they use “closed” taxonomies and do not allow filers or providers to add extension elements.

Today, around the world, XBRL is required by various regulators are the standard for data tagging of financial statements. And in virtually all of those implementations, from the UK to Singapore to Japan and the Netherlands (to name a few), financial statements are provided to the accountant or service provider who then converts Excel into XBRL and then submits that file to the regulator. The regulator then gets to convert the XBRL back into Excel for analysis. Why? Because XBRL is complex and resource-hungry, where the equivalent benefit can be achieved from a spreadsheet.

In the US, the SEC (Securities and Exchange Commission) requires that financial statements in the 10Q, 10K and a range of other filings, be filed in HTML and in an XBRL version. The SEC is also moving to require “Inline-XBRL” filings. Unfortunately, the SEC’s XBRL program remains a burden for which there has simply not been adequate, or even partial, buy-in from the producers or the consumers of companies SEC filings.

Fundamentally the SEC’s XBRL program has been a failure.

Producers of filings to not like it, and consider the production of XBRL to be costly and time-consuming. Don’t take my word for it, read the recent article following the SEC’s roundtable on short-termism from July 2019.

In listing the bullet points from the discussion of how to improve the 10Q process, the final bullet point stated: “And then, what about XBRL? (It was noted here that many issuers find XBRL expensive and very time-consuming and highly doubt its usefulness, not to mention that the SEC has just increased the XBRL burden for companies. Another panellist quoted an issuer as describing it as the “worst part” of the process.)” (emphasis mine).

The SEC itself is a lukewarm user, and if they have ever announced that it was the XBRL that allowed them to spot a case of fraud or financial misstatement then I missed that announcement. 

Data providers such as Yahoo Finance do not bother to provide a “download XBRL” button, and if you want the data, download it in Excel. If you want to XBRL, you’ll need to go to individual filing companies’ websites and download the files from their Invest Relations page, or you will need to go into the SEC’s EDGAR system and search on the company and download the XBRL from the SEC’s site.

While iXBRL (inline-XBRL) will be a boon to consumers of XBRL, at least those reading documents through their eyes, and wondering if the XBRL-tagged facts actually match the information on the printed form, this does little or nothing to solve the main problem; the difficulty of producing the XBRL in the first place.

The “FIX”

The US GAAP Taxonomy, the “dictionary” of allowable tags for financial statements contains over 18,000 elements. Or, as the AICPA said, “The US GAAP Taxonomies contain over 15,000 elements representing commonly reported financial concepts for US GAAP financial statements”. That was a number of years ago. But really? 15,000 “commonly reported”. And this number does not include the plethora of company-specific extension elements that are created every year. 

Fundamentally, every significant implementation of XBRL for the past 15 years (as long as there really have been any implementations of XBRL) has been based on a “closed” taxonomy in which filers are not able to create company-specific extensions.

To fix the SEC’s XBRL program, they should consider the following:

  1. Create a limited-set US GAAP Taxonomy. The original estimate was that at fully functioning IS GAAP taxonomy could be created with 4500 elements. While that number clearly is low, it should be possible to create a taxonomy that allows companies to report all “common” concepts in under 10,000 elements.
  2. Where companies cannot find the “perfect” fit element, they should use the closest element, and/or revise their reporting to ensure that they are reporting information that is common to their industry of to US GAAP principles.
  3. Encourage the development of “templates” for reporting. This will enable companies and service providers to produce XBRL as standard output, saving time and cost, especially for smaller filing companies.

Yes, this sounds simplistic, and it probably will not happen. 

Why not? Unfortunately, there are drivers for the retention of the complex system of company-specific extensions. Simply put, too many jobs are on the line. 

The FASB maintains a team whose job is the “maintain” the US GAAP taxonomy. This includes the annual release of an updated taxonomy in which new elements are added to cater for “common” company-specific extensions. Companies providing software will see their market disappear if the reporting process can be simplified. And of course, if XBRL is actually simplified, then it will become clear that almost anything that can be done with XBRL should be possible with learning engines and (gasp) Excel.  

After all, XBRL has been around for 20 years. That is 20 years of Moore’s Law improving the speed of processes, 20 years of improvements in systems and analytic capabilities, and 20 years in which IA and learning engines have, if not matured, then at least become mainstream.

It is time to fix the SEC's filing program. Fix it, or abandon XBRL.

23 July 2019

In search of a seamless relationship between Operational Management, Risk Management and Internal Audit.

I continue to be amazed by the too frequent disconnect between Internal Audit, Risk Management, and Operational Management. The artificial, though regulator sanctified, “second line” and “third line” functions are too often used to justify two (complementary) functions seeking complete independence from each other, independence that can undermine the effective identification and management of risks.

Operational Management (OM) is responsible for delivering the objectives of the organisation, and specifically the objectives of their function(s). Risk Management (RM) provides support to OM by providing the framework for identifying and helping OM determine and implement the most appropriate management strategies to cover the risks to the accomplishment of the objectives. Internal Audit (IA), by focusing limited resources on the areas of highest risk, confirms that key controls are in place and that they are functioning effectively to ensure that risks to the achievement of objectives are managed within the risk appetite of the business.

Within that previous paragraph, there are a number of important words and concepts, too frequently considered separately, when they should be viewed as part of a seamless set of processes and responsibilities. Sadly too often the three are not seen as part of that seamless delivery, with the second two being detached from OM and from each other.

Operational Management is responsible for delivery of results, and as such is provided with resources (budget) that are almost always limited in relation to the provision of any “extras”. Managers face annual budget challenges, and not infrequently are asked to make “savings”. Sometimes this can (sacrilege) include reducing headcount or increasing the level of output expected without increasing resources. Frequently it is the control environment that suffers when this happens. 

Risk Management can help OM to identify and consider the risks that they face, and can assist OM in identifying the controls that would be needed to manage the risks to the level acceptable within the business’s risk appetite. It remains, however, OM’s responsibility to implement the controls and to ensure the controls are functioning. RM can, and should, provide ongoing monitoring at an observation level of the risks and controls across the business.

(There is, of course, also the critical role that RM plays in the identification and mitigation of Emerging Risks and External Risks, but for our purposes here, we are looking only at the internal relationships and management of risks.)

RM confirms with OM that the control environment is functioning, as confirmed by OM and reviewed selectively by RM. The assessment of the current status of any risk is the responsibility of OM who own the risk and who is responsible for managing the risk. RM can suggest alternative views on the effectiveness of the management or the risks, both to OM and to senior management and the Board, but ultimately OM is responsible for the risks and controls. Furthermore, OM is responsible for determining how the provided resources will be applied for the achievement of objectives.

In this the assessment of the effectiveness of the control environment if firstly the responsibility of OM, and unless there is a fundamental disagreement with RM, it is OM's prerogative as to how resources should be applied. This includes the development and implementation of controls. While RM (and IA) can recommend, as it is OM that ultimately carries the responsibility, it is OM's decision. Escalation is appropriate only when there is a fundamental disagreement between RM (and IA) and OM.

Of course, it is appropriate that the Board be provided with additional comfort that the control environment is effective. Sadly the conflicting priorities of OM can lead to misreporting or inaccurate reporting of the effectiveness of the control environment. Likewise, limited RM resources can provide a general level of comfort that risks are identified, and that controls appropriate to the risk appetite have been implemented. 

This means that, while RM can and does support the implementation and operation of a framework for identifying and managing risks, it may be outside RM's resources to perform "deep-dives" into all areas of risk.

I am reminded of a bank that told their regulator that they treated all customers as "high risk" customers for due diligence purposed. The regulator's response was that if all customers were "high risk", then no customers were, and the real "high risk" customers would slip past the due diligence process. The bank was required to segment its customers and implement a higher level of due diligence than they had been performing.

IA’s role is to fill the gaps and to provide additional assurance that key controls in high-risk areas are functioning as per asserted by OM and that such controls are functioning with the risk appetite. So, IA’s role is the provision a “deep-dive” assessments of high-risk areas, to ensure that the key risks have been identified, that appropriate responses have been considered and agreed, and that controls have been put in place that brings management of the risks within risk appetite.

To summarise then:

  1. OM is responsible for delivering business objectives,
  2. OM applies limited resources to accomplish this,
  3. RM assists OM in identifying and assessing risks to the accomplishment of objectives,
  4. OM provides RM (and others) with regular reporting to confirm that objectives will be achieved within the acceptable risk appetite,
  5. RM confirms that risk across the enterprise is being managed within risk appetite, as reported by OM and as reviewed by RM,
  6. IA provides detailed “deep dive” assessments of the effectiveness of controls in the highest risk areas of the business, or where there may be limited confidence that risks are being managed within risk appetite,
  7. OM, RM and IA jointly provide assurance to the Board that there can be a reasonable expectation that business objectives will be accomplished with risk appetite.

A quick word about risk appetite: the risk appetite of the enterprise is set by the Board (with the assistance of senior management and RM) and it is the responsibility of OM to deliver objectives within that risk appetite. 

This means that RM should continuously confirm that OM understands the risk appetite as it applies to their areas and objectives, and should confirm that there is an effective control environment commensurate with the level of risk and the enterprise’s risk appetite. OM does not set the risk appetite; neither does RM or IA.

Being practical, this influences the reporting to the Board on risk and the effectiveness of the system of internal controls. Some practical suggestions that come from this:

  1. All IA findings should include discussion of the risks that have been identified,
  2. There is an IA finding only if the control environment is failing (or is expected to fail) to manage identified risks within risk appetite,
  3. All actions agreed by OM should be reflected against the risks as recorded and managed through the risk register,
  4. All IA findings and actions should be recorded against their associated risks, or new risks should be added to the risk register where there is no corresponding risk,
  5. OM and RM then need to update their review processes to ensure that the identified risk and mitigation is actually functioning.
  6. Where IA has requested confirmation of the implementation of new or updated controls, this should be provided.
  7. Annual review and approval of the updated risk appetite should then drive a review by OM and RM of the risk and control environment and will inform the IA review cycle by potentially changing the perceived highest risk areas.

These steps will lead to a more seamless integration of OM, RM and IA, and will improve both relationships at the operational level, and provider greater confidence to the Board that the control environment if well established, operating and being effectively monitored. 

05 July 2019

Prediction: A Minsky Moment is coming sooner than you think

Tipping points, unstable situations, Minsky Moments.  In 1996 Greenspan used the now famous phrase "irrational exuberance" to describe the Dot-Com bubble of the 1990s. "But how do we know when irrational exuberance has unduly escalated asset values, which then become subject to unexpected and prolonged contractions," he asked.

He was foreshadowing the coming Minsky Moment when the bubble popped. We are almost there, again.

Well, the US markets have reached a new record high. They have been pushing for that, ignoring data and building on the dream of new records. Each tweet from Trump is met with either a small market retreat (if bellicose) or a jump when he declares victory and withdraws (what I call the "Vietnam Solution"). Each manufactured crisis is shrugged off for the noise that it is, while each resolution of the manufactured crisis is greeted as a stunning "victory", and the markets move accordingly. Irrational Exuberance anyone?

Yet behind all the noise is the real economy, both the US and the Global economy as composed of a myriad of individual and linked economies. The reality is that the real economy(ies) are not in great shape, and this has not been priced in.

The past two weeks I've been watching the US markets go up and up, while at the same time the safe-haven, go-to-when afraid Gold price has bounced above $1400 for the first time since 2013. Normally when stocks go up, fear assets such as gold go down.

The US is now in uncharted territory, having entered the longest recovery on record. So just how much more "up-side" is there, or are investors "picking up nickels in front of a steamroller"?

Meanwhile, industrial production indices such as the monthly ISM are falling, and in some national (Germany) and US regional cases have fallen below 50, meaning contraction.

House prices have been falling in London for over a year, and housing starts and purchases in the US have been falling for months

The yield curve has now fully inverted. Why does this matter? Every (US) recession for the past 50 years has been preceded by a yield curve inversion, with the average time to start of the recession being 9 months from date of inversion. The yield curve inverted in March.

This to a background of continually rising corporate debt through the issuance of corporate bonds. "Companies from advanced economies, which hold 79% of the total global outstanding amount as of 2018, have seen their corporate bond volume grow by 70%, from USD 5.97 trillion in 2008 to USD 10.17 trillion in 2018." These bonds loads are easy to manage in a world of low interest rates and high liquidity.

And - the Fed is talking about cutting rates. Really? Cutting rate in the best economy ever? The entire point of starting to raise rates was to ensure there was enough "ammunition" (Feb rate cutting ability) to withstand another recession.

Finally, some are saying that the US (and the globe, for that matter) may already be in a recession.

Yet the US unemployment rate continues to fall, the participation rate (the percentage of the population that is employed) remains stubbornly lower than before the Great Recession.

So, when will we have our Minsky Moment, when sentiment turns and the rout begins in earnest?

It cannot be far away. And three months is probably very far at this point. 

How far will markets fall? That is anyone's guess. But they will fall, and it will be farther than most people would imagine today.