SASB’s XBRL Taxonomy; Stepping forward by stepping sideways

SASB’s XBRL Taxonomy

Stepping forward by stepping sideways

The future of business reporting is incomplete without a significant increase in the quantity and quality of ESG reporting, ultimately mandated by regulators and included in the scope of the external audit. For ESG data to be of an auditable quality, a common standard is required, with a level of rigour equivalent to IFRS or US GAAP standards approved by the FASB (and for the US government, GASB). To meet the need for higher quality ESG (Environmental, Social, and Governance) reporting, the SASB has just released an XBRL taxonomy version of their standards.

Is the SASB XBRL Taxonomy an extravagance, a step sideways, or in a strange way, a step forward for ESG reporting? Is an(other) XBRL taxonomy required, and if so, why and what benefit will be achieved (and for whom)? After all, there is already a GRI XBRL Taxonomy for Sustainability reporting.

The foundations for effective ESG reporting are being laid, but there remains a lack of compulsion that will be required to force companies to deliver.

Instead of another XBRL Taxonomy, I would recommend the SASB (VRF) put their energies and limited resources into:

1. lobbying the SEC and regulators to require ESG reporting in quarterly and annual reports, and
2. request the SEC to provide further guidance on how ESP information should be provide under Reg S-K, including the 2020 “modernisation” of the Rule, and
3. lobbying regulators to demand that ESG information be audited, and
4. developing course materials to enable universities to train young accountants to audit ESG information, and
5. developing CPD materials for established professionals to audit (including Partner review training) of ESG information, and
6. work with the data aggregators to develop easy to use reporting tools to analyse ESG content.

Sustainability data will remain “nice to have” until it mandated and it is audited, and any number of XBRL Taxonomies will not make that happen.

The importance of SASB

ESG (and Sustainability) reporting is not new, although its importance has increased through the pandemic and the climate crisis. When the Club of Rome released their “Limits to Growth” in 1972, there was little understanding of sustainability as a national and business priority. Over the next decades, that changed, and by the turn of the century, the first ESG and sustainability reporting standards were introduced.

The problem with almost all sustainability reporting standards is the lack of auditability of the reports, and the lack of accounting-standards level clarity or exactness of definition. It was almost impossible to ensure like-for-like meanings of the reported sustainability or governance concepts. Most standards were built with the PR department in mind, not Finance and share market or Compliance Reporting.

The SASB (Sustainability Accounting Standards Board) was established in an already well-populated ecosystem of competing standards for ESG reporting. However, SASB is the first standards organisation of develop a set of sustainability and ESG reporting standards to the same level as traditional accounting standards. The IIRC (International Integrated Reporting Consortium) was founded in the UK to pursue the development and introduction of the “Integrated Report” to improve the quality of business reporting. The SASB and IIRC have merged to create the Value Reporting Foundation (VRF).

For a standard to be successful it requires three market drivers. First a need must be satisfied that exceeds the cost of implementation – a compelling commercial case for implementation. Second there must be natural users or ‘consumers’ of the product of the standard. Finally, there must be regulatory drivers that compel the recalcitrant to implement the standard.

Until now, Sustainability and/or ESG reporting has lacked the third of these, in that sustainability reporting has been optional. This resulted in a plethora of standards (the GRI, SASB, CDP, UNGC, etc)* each providing optional levels of compliance and limited, if any, assurance mechanisms. We shouldn’t forget the “Accounting for Sustainability” (A4S) initiative from the Prince of Wales, or the Task Force on Climate-related Financial Disclosures (TCFD) initiative.

All of these standards are voluntary. This means that Sustainability and/or ESG reporting have been, by the very option nature of such reporting, an opportunity for marketing and PR to put forward the best story, especially if it is not the whole story.

SASB’s standard provides one of the first ESG standard with the potential to meet regulator’s needs for an auditable and consistent content definition. Therefore, when the third driver is in place (regulatory mandate), the SASB standard is ready to be used to provide the level and quality of data mandated by regulators.

The XBRL Dream

In 1998 (long before the first iPhone), a group of accountants came up with an intriguing idea. What if they were able to create an XML based standard for the “tagging” of financial information, so that all consumers of that information would know exactly what each piece of data actually meant. Of course, it was not so easy, as any financial and later “business” “fact” requires an awful lot of contextual information to give it actual and consistent meaning. So the XBRL (eXtensible Business Reporting Language) Standard was born, extending the XML standard considerably.

With XBRL, it was possible to state with certainty that one company’s reported “Cash and Cash Equivalent” actually defined the same accounting concept as another company’s reported “Cash and Cash Equivalent”. In addition, the “eXtensible” part of the standard meant that if you require a more granular concept than already exists in the taxonomy, you could add a new element.

Business reporting would be simplified, consumption of like-for-like information would transform analysis, and companies, through the (modest it was hoped) use of extensions elements, could “tell their story their way”.

Now it was simply a matter of developing a taxonomy of business terms, and convincing software makers to develop the tools required to support what had become a very complex standard.

The XBRL Reality

Unfortunately, the complexity of XBRL meant that for the first decade, all three of the major drivers for adoption were missing. There was no economic case for developers to create software or for companies to spend their money to produce financials and business reports in XBRL, because there were no consumers of XBRL (and little or no software to consume and use the XBRL). Finally, no regulator had mandated the provision of XBRL versions for key reports. Certainly, there were niche software houses that bought into the dream of XBRL, and a few companies that chose to produce XBRL. Some of the financial reporting aggregators even said that they could or would support XBRL.

In 2009 the SEC’s mandate for the provision of parts of the 10K (annual reports) and 10Q (quarterly reports) in XBRL came into effect. But they have yet, more than a decade later, to mandate that the XBRL content be audited, nor have the expanded the coverage of content adequately to the full reports.

Across Europe, regulators have mandated XBRL for everything from company reports to insurance solvency reporting. Companies House in the UK receives XBRL version of company financials from all companies. But as these files are, in effect, produced from templates, the dream of high-quality business data has not been met.

XBRL remains a cumbersome and limited standard, and one that is used only (other than very few exceptions to prove the rule) by companies that are required to produce reports in the XBRL format. There remains virtually no voluntary uptake of a complex and expensive standard that delivers unaudited data for which there is no consumer driven demand.

The best-mangled metaphor I’ve ever seen was used to describe XBRL. It is “like using a dinosaur to crack a walnut”.

Implications of the SASB XBRL Taxonomy

Now SASB has, with the assistance of one of the Big-4 who has supported XBRL from the very beginning, developed an XBRL Taxonomy for their reporting standard. This is good news. It will now be possible to “tag” the ESG data in XBRL for automated consumption by XBRL capable regulators and reporting systems. 

Furthermore, when a company tags an ESG “fact” in XBRL, consumers of that data will know that the underlying meaning and concept associated with that “fact” is exactly the same and the underlying meaning and concept of that “fact” reported by any other company using the same taxonomy and taxonomy element.

SASB’s XBRL Taxonomy will neither derail nor spur ESG reporting

Realistic and meaningful ESG reporting will not happen until regulators mandate not only the reporting but that the information is audited, and a dedicated XBRL Taxonomy will have little impact on the uptake of ESG reporting.

Only then will reporting companies provide information that investors can trust (Google “Greenwashing”).

The provision of ESG information tagged in XBRL (and audited) might be an improvement. However, the XBRL standard is so old and cumbersome that only a limited number of people will ever have the skills required to exploit data provided in native XBRL.

If SASB really wants ESG adopted…

SASB (or the Value Reporting Foundation as it is now called after merging with the IIRC) is probably the best standard for real, auditable, ESG information. If they really want companies to be providing ESG reporting, and using SASB as “the standard”, I would recommend that instead of playing with the Big-4 and XBRL, that their energies go into the list of activities listed at the beginning of this arlticle.

I would also challenge for any reader to add to that list. What else should the SASB/VRF be doing to encourage the uptake and use of ESG reporting?

--------------------------------------------

*  “GRI, SASB, CDP, UNGC”. These are four of the multitude of ESG “standards”: Global Reporting Initiative, Sustainability Accounting Standards Board, the Carbon Disclosure Project, and the UN Global Compact.

The Author: Daniel Roberts served as Chair of the XBRL US Steering Committee in 2005 and 2006, a time when XBRL US was working closely with the SEC to advance the use of XBRL for corporate disclosures. 

The Virginia result is a wake up call

The Virginia governor's office, and potentially legislature, have gone Republican. 

It looks like the Democrats have (I fervently hope) a huge lesson to learn. If you take power through the ballot box, you better deliver or you will be thrown out; not by your voters, but by you voters who stay home while the 'defeated' come out to vote. I sure hope that those in Congress and the Senate now understand that imperfect but progressing legislation is imperative. Progress must be made, and be seen to be made. No more digging. Just get something done, now.

Sure, there is talk of Democrats holding the line in other states, but the clear swing is against them, and this will be very difficult to hide between now and early next year. 

Reading about Sen. Kyrsten Sinema and her selling out to the American Chamber of Commerce and corporate donors, and the discussion of the disaster that is "Citizens United", it is difficult to have much hope (https://www.salon.com/2021/11/02/kyrsten-sinema-epitomizes-21st-century-political-corruption--but-she-didnt-cause-it_partner/).

According to the article, Senema voted against legislation supported by 70% of the population of her state. 

She should take a look outside the United States of Amerika to see what happens to elected politicians when they do that. Greece provides a good case study, with the Syriza government of Alexis Tsipras. In 2015 he put approval of the EU Bailout programme to the people in a referendum. 63% voted against approval, yet Tsipras flew to Brussels and signed the agreement. 

In the following elections, Syriza was destroyed as a political party, and while it is still the second largest, it is only one of a number of leftist parties, while there is only one centre-right party. Tsipras says (as he must) that Syriza will form the next government. He has little chance of being able to do that, as too many Greeks consider him a traitor. 

If Democrats in Congress do not start passing legislation promised as part of the rejection of Trumpism and a rejection of the Amerikan Taliban, there is the very real danger that Democrats will stay home. Voters staying home will kill a political party faster than increasing numbers of voters for the opposition. If you cannot convince your voters to come out, then you cannot win elections. And if you have reneged on exactly why you were elected, then you will be rejected.

The Next Pandemic - lessons from Covid-19

Difficult though it may be for us to acknowledge, the Covid-19 Pandemic has been, for all the deaths, illness, social dislocations and economic damage, a relatively “mild” pandemic by historical pandemic standards. With decades of warning and preparation, the arrival of Covid-19 was a surprise only in as much as the specific virus was not ‘expected’.

There are lessons to learn from governments, enterprises, communities and people’s responses to the Covid-19 Pandemic. We can look at those and extrapolate potential responses to a “Real Pandemic” of historical proportions. The Black Death (and subsequent pandemics of plague), and the “Spanish Flu” of 1918 are informative. While a repeat of the 1347 to 1350 Bubonic Plague is highly unlikely, a new flu or another pathogen with an impact similar to or greater than the 1918 Spanish Flu is quite possible.

This one was "easy"

The Covid-19 Pandemic is not over, and probably won't be for months to come, possibly a year or even two. The initial impact was one of illness, death, social distancing and dislocation brought on by seemingly interminable lockdowns. The daily litany of reports of illness and death out of Northern Italy and then New York, the seeming ineffectiveness of lockdowns, and the constant drumbeat of doom from all media sources, if not from governments, which varied from near panic to attempts at convincing their people that there this would pass quickly and was "just like the flu". Early in the pandemic, many governments told people that masks were not necessary for the general population, and were only required by medical professionals or those in close contact with Covid-19 patients. That advice changed later, but the damage to these governments' credibility around the world was substantial.

Fast action by other governments in many countries ensured that the immediate economic impact was limited, and recovery fairly quick once general lockdowns were lifted. There remain lingering economic problems, not least continuing disruptions to supply chains around the world. Employment is rebounding, and the United States is almost back to pre-Covid-19 employment levels according to the (flawed) percent unemployed rate.

Perhaps because of the (relatively) early warning and surveillance, the total number of cases and deaths was actually relatively light, when compared with previous pandemics. This is not to downplay the amount of suffering at the individual, community and national levels. The official number of deaths, at almost five million globally, is most certainly understated by possibly a half or more, and a final tally will not be available for years. Yet, the number of deaths compared with previous pandemics has been low. With “Long-Covid”, the health impacts on those who contracted Covid-19 will haunt societies for decades to come.

What have we learned?

Now that Covid-19, although still a considerable danger, is being brought under some measure of control, we can consider some of the lessons that we can learn. I am confident saying that Covid-19 has brought under some measure of control as vaccines and specific treatment protocols have evolved to greatly reduce the risk of mortality once an individual does contract Covid-19. And these vaccines and treatments were developed and testing in record time, founded on decades of research and an influx of substantial investment.

Some of our specific lessons that we should take away in anticipation of a future pandemic include:

Science and Medical Science. First the good news. The resources that were mobilised to develop and produce multiple effective vaccines has been stunning. The ability of the medical profession to quickly learn what therapeutic interventions work and which don’t was equally remarkable.

Government Transparency is still the cornerstone. Governments generally failed in providing honest and transparent information to their people. In some cases is was done for the right reasons, but frequently giving the appearance of amounting to secret agendas. This was exacerbated by government ministers in various countries flouting the regulations imposed on the rest of society. Furthermore, when a national leader is more worried about his image than the people, danger lurks. Refusing to allow passengers off an infected cruise ship to “keep the number down” reinforces distrust. Being quoted as advocating “herd immunity” as a national strategy while also holding daily “flatten the curve” briefings also erodes confidence.

"Flattening the Curve" worked. As discovered during the “Spanish Flu”, the biggest danger was that healthcare systems would become overloaded and care would need to be rationed. In much of the developed world the healthcare systems survived, although in cases they were strained almost to breaking point. Yet other countries provided lessons on what happens when the system is overloaded. In India in the second quarter of 2021, the healthcare system collapsed. The official death toll was 425,000 but the real death toll is estimated to be between eight and ten times that number. In Ecuador in 2020, the queues of cars and trucks carrying coffins into the central cemetery in Guayaquil suggested a death toll many times the official figures.

Medical and Critical workers suffered. The unrelenting pace of the pandemic in the first and second waves exceeded the capacity of many workers to cope. Unfortunately we are discovering that the denigration of medical works by conspiracy theorists combined with months of unrelenting overwork is driving many to leave the profession, that medical workers; nurses, doctors, and specialist support staff. We also discovered that “critical workers” are not the accountants and lawyers, but the rubbish collectors and supermarket checkout clerks.

Conspiracy theorists are all around us. Some will never accept the science, and will seek conspiracies and “Youtube Research” as the method to find some hidden secret; some undiscovered already existing treatment (suppressed by Big Pharma of course), a plot to impose tyranny or even outright denial. In New York City during the first wave in 2020, Covid-19 deniers were videoing the parts of emergency rooms and hospitals they were able to access, in order to “prove” that it was all a hoax. Unfortunately, the failure of adequate transparency contributed to this phenomenon.

Lockdowns have a limited acceptable span. While people are willing to lockdown at the height of a pandemic, there is a limit to people’s patience. The problem is that stopping the spread of a pathogen that is airborne and highly contagious is not something that just happens. Lockdowns are designed to deprive the virus of hosts, by limiting the potential number of people who can be infected. The problem comes when lockdowns are broken, and when “it won’t happen to me” becomes the prevailing sentiment. In the US, France, Greece and Australia, people held rallies and marched against lockdowns, creating their very own super-spreader events in the process.

Business showed surprising resilience. Certainly, the sudden shutdown of commerce came as a huge shock, but a combination of government fiscal stimulus and “work from home” directives helped cushion the blow. In countries with overt salary replacement (or partial replacement) by the government, redundancies and lost jobs were more limited than expected. A contrast is the United States which saw over 20 million people lose their jobs within a matter of a month and a half. The “V” shaped recovery has yet to fully replace those jobs, and labour market participation rates have stabilised at a lower level than pre-Covid-19.

Technology has come of age for remote working. Before the pandemic, concepts, such as telemedicine and remote “visits” to the doctor, were interesting, but there remained too many cultural and technical impediments. Allowing workers to work from home (or from anywhere) were considered leading edge and fraught with expectations of collapsing worker productivity. Both are now setting the standards for medical care and business operations into the future.

Supply-chain impacts are "long tails". Just-In-Time was the pre-Covid-19 mantra for an effective and profitable business. Exactly the right number of chips in the right place at the right time would hold down costs, push products out faster, and provide flexibility. This model works for Christmas ornaments as it does for automotive chips, as it does for delivering sweatshop-produced garments to stores across the developed world. In early 2020, global shipping stopped. Close the chip factories and the backlog of chips grows. Stop the ships and the backlogs grow, and once shipping is restarted, the backlogs become apparent. There may be a shift away from JIT to JIT Plus Buffer.

A pandemic is a politically exploitable situation. Finally, too many leaders found an opportunity to use the pandemic as a tool to amplify the “us versus them” of their local politics. This was most notable in the US (injecting light or Clorox anyone?) where public health measures, misunderstood by many and rejected as another government imposition, could be exploited as further evidence that the “Deep State” wishes to control people, and that Covid-19 is just another tool to accomplish that. In Brazil, the President openly declared that it was nothing to worry about, even as the death toll climbed and graves could not be dug fast enough. China blaming has also been unhelpful.

These are only a sample of the lessons we can take from Covid-19, and I’m fairly confident that I have missed some of the readers’ personal learnings. But all of these will matter, deeply, in the coming pandemic. The “Real Pandemic” that may kill ten or more times Covid-19s toll, and could happen any day now. For all we know, the pathogen that will become our new nightmare may already be circulating, just waiting to catch the international flight being called at Gate 15 right now.

What might the next pandemic (the "real" one) be?

Before we look at what we should be doing in anticipation of the coming Pandemic, let’s see what other pandemics have looked like, and consider a likely candidate for the next “Real Pandemic”.

Plenty of potential pathogens

There certainly are plenty of pathogens to choose from, ranging from the all too familiar annual influenza to the exotic. It would be easy to provide a list, but that would not be helpful, though it would be scary. Ebola would probably be on most people's list, but there are other haemorrhagic fever pathogens such as Marburg  And we should not forget the other SARS variants from the "original" SARS (serious enough) to MERS with a much higher mortality rate, at around 30% to 40%. Here however we'll only look at three; Plague, "Spanish Flu", and Avian Influenza. Why? Because the Plague gives us a benchmark of the worst case (we hope) while "Spanish Flu" provides a precursor to what I think is the most likely next major pandemic; Avian Influenza.

This is not to downplay the very real likelihood of Covid-22 or even Covid-23, etc. But for each of these, we can hope that the new versions will not be so novel as to be beyond the flexibility of the current mRNA vaccines technology to respond rapidly.

The Great Mortality

When it happened, the "Black Death", as we know it today, was called the "Great Mortality", and with good reason. The total mortality across Europe appears to have been between 30% and 50%, and higher in specific locations. While Bubonic Plague (caused by the bacterium Y. pestis) is generally accepted as the cause of the Great Mortality, there are some who think it may have been caused by other diseases, including plague, but also potentially including a haemorrhagic disease.⁽¹⁾

Originating in Central Asia and making its way westward, the Plague travelled at roughly the speed of sail, and overland at the speed of an oxcart. Were it able to spread at the speed of air travel, the mortality would have been the same, only the duration of the Plague, until it had exhausted the available human population, would have been quicker?

Our best records for the speed of spread and mortality of the Black Death comes from church records in England. By fate of history and good luck (and the absence of successful invaders since 1066), church records across England have mostly survived. These paint a picture of the plague as it marched across the country. These also provide a picture of the total mortality being between 30% and 50%, with outliers of course. For example, the Abbey at St Alban's was badly hit by the plague, and "there were few left to mourn the good man: forty-six other St Alban's monks died in the plague, nearly three-quarters of the strength of the monastery."⁽²⁾

Bubonic Plague is yesterday's plague, though it does continue to pop up around the world even to this day. But we know how to treat it, and it appears to have mutated over the centuries and has become a less mobile and easier to treat illness. So, barring some very strange mutations, the next Pandemic will probably not be a variant of Bubonic Plague.

1918 "Spanish" Flu

Influenza is probably the biggest risk, and there are precedents to warn us. The most worrying is the 1918 "Spanish Flu" pandemic. It is worth remembering that the current death toll from Covid-19 is just under 5 million, with the probable actual total being closer to double that (thought realistic final estimate will not be known for some years). The 1918 pandemic saw a global total of 50+ million dead, based on a global population that was about a quarter of the current global population.

In the Covid-19 Pandemic, the early call was to "flatten the curve" to ensure that the health system could cope with the projected load. The 1918 pandemic gives us a stark reminder of why this was so important, and why failure to "flatten the curve” was such a scary prospect to health planners and governments.

Camp Devens outside Boston in the US was designed to house 35,000 soldiers awaiting transport to Europe to fight the Germans. In early September it held 45,000 troops. The flu began to spread in the camp. “On 23 September William Henry Welch, one of the most distinguished physicians of the day, arrived bringing with him a team of America's leading medical experts. By that time, in the two weeks since it started, 12,604 men had fallen ill; sixty-three died on the day Welch arrived. Some took ten days to die; other were gone inside forty-eight hours. Hospital wards overflowed on to the porches and into commandeered barrack huts, and the bed linen was stained everywhere with blood and phlegm."⁽³⁾

In the Covid-19 Pandemic, most supply chains and agricultural production (in the developed world) continued to function, with some gaps. In 1918 the impact was far worse. In India, the monsoons had failed in parts of the country. "With over half of the population falling sick (and with the most severely affected people being those from twenty to forty years old), the harvesting of what crops there were was drastically affected. Production of feed crops declined by nearly 20 per cent compared to 1917; as a result food prices doubled, and the malnourished rural poor spilled into the disease-torn cities enfeebled and destitute."⁽⁴⁾

Avian Influenza; a potential next pandemic

Flu remains one of the biggest pathogen killers, Covid-19 notwithstanding. And through the Covid-19 Pandemic, the widespread use of masks seems to have resulted in a season without flu. Instead of rejoicing, there are now worries of a harder than usual flu season to come.

But what happens if an Avian Influenza not only leaps the species barrier (which happens a few times every year, but seems to have accelerated over the past year). "Only 46 human cases of H5N6 bird flu have been confirmed since the first case in 2014, but nearly a quarter of them have been reported during the last 2.5 months. At least 22 cases, all but one of them in China, were reported during the last year. H5N6 bird flu is known to cause severe illness in humans of all ages and has killed more than half of those infected, according to WHO. There are no confirmed cases of human-to-human transmission." (https://bnonews.com/index.php/2021/09/young-woman-dies-of-h5n6-bird-flu-in-southern-china/)

Most worrying is the small number of mutations that would be required in the Avian Influenza genome to turn it into a human transmissible virus.

If you have a sudden desire to be afraid, read the article "Three mutations switch H7N9 influenza to human-type receptor specificity" (https://journals.plos.org/plospathogens/article?id=10.1371/journal.ppat.1006390). The idea that three mutations can turn Avian Influenza into a high-mortality human-to-human pathogen is more than a little scary.

Being clear, I'm no "Youtube Researcher", and that article was written for people much smarter than me; people who understand the genetics of influenza and mutations. It is still a worrying article to read, even if I candidly admit that I understood little past the abstract and introduction. It is enough to convince me that Avian Influenza, or another influenza, may well be our next major pandemic.

Implications for the "Real Pandemic”

In part the list of lessons from Covid-19 form a core of our implications for the “Real Pandemic”.

Surveillance should see it earlier. There exists a strong international set of guidelines and processes for the notification of “reportable diseases”. The monitoring of these is a national security issue, and hopefully will receive the funding and priority that will be required to reduce the impact of the coming pandemic. Worryingly, national politics and concerns as witnessed during the Covid-19 Pandemic could still result in a delayed release of full information. Anyone who was not concerned when China locked down 56 million people simply was not paying attention.

Transparency will remain critical. Governments will need to be transparent to both calm their populations, but so       to be clear about what they do not know. The failure to be clear about the unknowns may have contributed to the loss of confidence in government institutions. Still, seeing the spread of a potential pandemic causing pathogen may not result in fast action by any government. Internal agreements or disagreements over jurisdiction may contribute to disagreements over the severity of any release or new pathogen.

Hesitance on the part of governments. Some governments will be hesitant to respond. The burden that Covid-19 placed on countries and on governments will serve as a dampener to rapid and effective quarantining and international border closers. Furthermore, the political cost of fast and assertive response may be perceived as being too high. “This won’t be a SARS or Covid-19” mentality will prevail until it is too late. Yet there are the tools that worked, and will need to be implemented to stop the spread of the new pathogen. It is probable that in many countries, there will be active rejection of restrictions, and large segments of the public may actively oppose government action.

Business will respond faster than governments. Much of the response will be culture-driven with the science taking a back seat. The driver will be workers who are watching, and beginning quickly to say that they feel unsafe commuting or being back in offices. We will see more hedging sooner of transport capacity including air cargo, and filling their JIT pipelines and inventories. On the downside, we may also see layoffs happening sooner in the cycle, as businesses cut staff earlier to hoard cash.

Medical and critical workers are not disposable, and cannot be easily replaced. A new pandemic could see these workers suffering PSTD type symptoms, with the danger that critical infrastructure may fail due to these workers cracking, or simply not showing up. Nurses who have been overworks and maltreated may decide that they would rather stay home and take care of their immediate loved ones, especially if the Next Pandemic is as serious as it could be.

Conspiracies will never die. Individuals will quickly split between conspiracy-theorists and rational people, with the rationale opting to avoid proximity, panic buy and prepare for personal lockdowns. Meanwhile the conspiracy-theorists will buy ammunition and will take to the internet “airwaves” to spread their message. Outside the US, the anti-vax, anti-science percentage of most populations is relatively small, including those who were hesitant to be guinea pigs for the new, ‘untested’ vaccine (many of whom have now been vaccinated). There certainly are those that are ambivalent, or even wary, but for the most part they will "listen to the science".

A higher death toll quickly will enforce lockdowns. In the Covid-19 Pandemic, lockdowns were, mostly, effective. In the coming pandemic, lockdowns will be self-enforced, as a rising death toll and the associated media and fear act to drive people indoors and away from others. Lockdowns, mandated or ad-hoc, will come into force sooner and will stay in place longer, enforced by communities themselves. Lockdown ‘breakers’ will be shunned, and denial groups will, while receiving plenty of media, find themselves equally isolated.

What can we do to prepare

Entities

Review & Revise contingency plans. A pandemic could hit at any time. That we have made it through this one (almost) does not suggest that another one could not already be brewing. Build the internal and external communications frameworks that will allow rapid response to quickly changing conditions. Test contingency plans to ensure they will work, and to learn from what didn’t. Most importantly, perform an in-depth “after action” review of how the entity responded to the Covid-19 Pandemic.

Review IT systems and capacity. A CIO I know, in developing a system, said that he wanted anyone to be able to access the system from anywhere. He begrudgingly agreed that anyone authorised should be able to access from any authorised location. That has served them well, as they were able to implement distributed customer support almost immediately. Companies should also retain a larger stock of pre-configured laptops. Another entity had 600 laptops in the process of being commissioned and decommissioned. This allowed them to rapidly equip a workforce that could no longer work from the office.

Reconsider the supply chain. Look to hedge what can be hedged, and look to increase critical inventories, and accept that a certain level of inventory “fat” may be appropriate to ensure continued delivery, especially if your competitors are unable to deliver. Review your supply chain with specific attention to the resiliency of each of the entities in your extended supply chain. Consider which elements of the supply chain can suffer disruption without excessive impact on business operations.

Confirm community relations. Companies and entities do not exist in a void, and need to be able to demonstrate their “good corporate citizenship”. This is true especially in times of distress. Consider plans on how not only employees and their families will be supported, but also how the entity will ensure its communities remain sane and sound.

Plan for After. After a recession there is growth, and after the pandemic there will be growth. Consider (and plan for) how the company will position itself to take advantage of the post-pandemic period. Will there be market opportunities? Will competitors be weakened and their market share at risk (or opportunity). Will suppliers be positioned to meet the entities needs in a post pandemic growth phase, and if so, what needs to be put in place now to ensure that the entity is at the front of the queue for capacity?

Personally

Each of us has a responsibility to ourselves, our families, our communities, and to our businesses and civil society (and the law). The following are a few suggestions. I am not a “prepper” and to not make pretences to be one. But there are a few precautions I take. Most of these are the precautions you should have in place anyway if you live in a hurricane zone or in a place prone to earthquakes.

Be/stay alert. Here I recommend that people subscribe (free) to the International Society of Infection Diseases “Promedmail” service. This is a great source of unending worry and potential panic, if only because it will send you an email of each case of a reportable disease. In January 2020 Promed Mail started to send out emails referencing a new pathogen in China.

Keep stocks of PPE. Unlike for a hurricane or earthquake, PPE is pandemic risk specific. Again, at the end of January 2020, after seeing the Promed emails and as Covid-19 (unnamed at that time) was just beginning to make news, I ventured to the local DIY shop and bought masks and protective suits. I then came home and put them away, chiding myself for being a worrier. I still have the protective suits, because thankfully I’ve not needed to use them.

Keep stocks of food. Again, I decided very early that we would need to be able to close the door for three weeks. That’s a long time when you consider what actually is needed. As a learning, when buying a three week supply of food and beverages, remember snacks. Being locked inside is much better with snacks. But also remember easy to prepare but easy to store for a long time foods. Remember water. Long-life milk is good to keep in the pantry. Buy your toilet paper long before you will be competing with everyone else for the last rolls on the shelf.

Don’t buy ammunition. If you need it, it will be too late, and it will not help you.

Footnotes:

(1) The Great Mortality; An Intimate History of the Black Death, the most devastating plague of all time. John Kelly, 2005.

(2) The Scourging Angel; The Black Death in the British Isles. Benedict Gummer, 2009.

(3) Catching Cold. Pete Davies, 1999

(4) Ibid.

 

Three Lines of Defence - A useful framework, or a crutch for the incompetent? (Both?)

The following was told to me by a person who was in the room. We were debating Three Lines of Defence (TLD) when he told me this story. I’ve reconstructed as much as possible, and confirmed the content with my source(s).

TLD can be an effective framework, or it can be a millstone dragging effective governance to the bottom of the pond. While the concepts behind the framework are sound, it only works as a framework; it is not a management system, nor does it provide a rigid demarcation of control activity. Most certainly, it fails as a model for the provision of assurance to senior executives and the Board.  TLD does not ensure or provide even a patina of confidence that those responsible for the effective implementation of the framework actually have the skill or competence to use the framework effectively.

This is a story of incompetence and a warning that the strength of the TLDs is only as strong as the least competent practitioner in any of the Lines of Defence, especially the Third Line.

TLD in the Company

The company espoused the TLD as a core part of its governance framework. Applied carefully, TLD (or 3LoD) is a framework that is easily understood at the executive and board level, and equally easily understood by line management.

The company trained managers in the concept of the TLD. This made it ‘easier’ for Risk Management and Internal Audit (IA) to gain management buy-in to ownership of risks and controls and to ensure management took ownership of reporting on the effectiveness of controls and processes. It also provided the common language that enabled people across the business to discuss risks and control, and understand the importance of, and different roles of, the operating monitoring functions.

The classic distributions were made between the Lines, with “First Line” defined to include all operational functions and processes, and anything that was directly customer-facing. Customer set up, ordering, fulfilment, and billing were all included in the First Line, as were customer complaints, etc.

“Second Line” was defined equally conventionally, to include Finance and Financial Reporting, MI (Management Information), Compliance, Risk Management, Governance (including Company Secretariate) and HR.

“Third Line”, following the IIA’s interpretation, comprises Internal Audit and is listed as the provider of assurance to the Audit Committee and the Board. 

The Audit Committee was well versed in TLD, and annually read and endorsed the IA Plan and the Risk Management Framework. TLD was so well embedded that at times it became a crutch and not a framework, something to fall back on when questioned, or when the obvious answers did not fit the problem.

The problem was that, TLD or not, business processes were inefficient, errors were being missed or discovered by accident (or by customers, which was worse), and staff were overworked due to inefficiencies. Management reporting was inadequate, and financial reporting was cumbersome and slow. The monthly close took weeks, with some critical financial information not available for up to a full month after the month-end. This financial information was critical not only for operations but to satisfy regulatory reporting requirements. Something needed to be done.

The company decided to review all its critical business processes, confirm controls were in place, and identify process improvement opportunities where possible.

Internal Audit

Internal Audit took the lead on the project, with support from specialists and Risk Management. The project fell outside the normal IA work programme, but this was accepted as process inefficiencies and failures had already impacted the company.

A list of those processes was made, and reviews of each process scheduled.

Of course, IA still needed to identify critical processes and potential areas of higher risk and to develop and deliver an IA programme based on reviews of those processes. This was done through an annual planning process that included input from the external auditors, but little or no input from within the business.

In this case, the senior Internal Audit Manager had alienated too much of the business, and was seen not as a value-adding or even confirming control effectiveness. IA had developed a reputation of being pedantic and measuring success by the number of findings, no matter how petty (or inaccurate), that were included in reports. Further, IA was known to demand that a recommendation be implemented, even if there was no budget or if the recommendation would not address the issue.

So the first lesson we should take is: Where Internal Audit has an adversarial relationship with functions across the business, maybe it is time to look at IA’s effectiveness. IA, especially when poorly lead, can establish a fiefdom and use TLD to protect its position and access to leadership.

In the case of the review of business processes, this leads to one of the most bizarre moments that has ever been recounted to me.

The list of business processes to be reviewed was developed and presented to the steering group, including the CEO. Someone from the Risk Management team asked why the month-end close process was not included.

“There are no critical processes in Finance” was the statement from Internal Audit.

“How can there be no critical processes? The CEO does not know the financial position for up to a month after the month-end. What about billing, payments or debt collection?”

Internal Audit persisted “Billing and debt are not financial processes. Those are operational processes and are part of the First Line.”

“Excuse me?”

“Finance is Second Line. Second Line only reports and supports First Line, so Second Line cannot have any critical processes.”

The room was quiet. People looked at each other, and then at the CEO.

He paused, obviously thinking about how to engage.

He then said, “can I suggest an offline review of the list of processes? I would expect to see more of the MI supporting and Financial processes included, because they are critical to my ability to achieve our plan.”

The second lesson we should take from this is that TLD, when used as a crutch, can embed ineffective governance, and provide a shield for incompetence.

The poor quality of MI and the speed of the financial close combined to undermine management’s ability to more efficiently manage the company, apply resources where they were needed, and provide assurance to the Board about the company’s status in relation to the strategic and tactical plans.

Unfortunately, the TLD model, as hijacked by the Internal Audit profession, reserves the provision of assurance to the Board as a Third Line function. Admittedly the IIA’s new “Three Lines of Defence” model conjoins the Senior Management and the Governance groups, while retaining the mythology of an independent Internal Audit. This is not the place to discuss if Internal Audit can ever actually be “independent”, but it is the place to reinforce the concept of the provision of assurance.

 

Real Assurance

All management provides assurance. That is what MI and reporting are all about. The information provided in management reports is compiled and provided to give assurance to the receiver that the status or situation reported is accurately reported. As information is reported upward (and summarised in almost all cases as it moves upward) there is an underlying assumption that the information is, to the best professional knowledge and experience of the information provider, accurate, and provides assurance that such information may be used for further decision-making.

Furthermore, IA is an overhead, and as such, the cost of the provision of IA will always be constrained. That constrained resource inevitably results in narrowing IA’s potential span of attention. IA will need to focus its limited resources on this highest risk business processes, systems or functions, and will not be able to provide the breadth of coverage required for real assurance to Executives and the Board, beyond the very narrow assurance over the limited areas of their attention.

This leads to our third lesson; that Assurance must be provided by all management, not only by the Third Line, and reliance on the Third Line for assurance, will undermine the quality of assurance that is being, or can be, provided to Executives and the Board.

So bringing our three lessons together we can see a recipe for disaster. An adversarial IA, using TLD as a crutch, claiming that only the Third Line (IA) is able to provide assurance. Bring these three together and the potential damage is huge.

Had IA prevailed, critical processes would have been ignored in the review, and fundamentally inefficient, yet critical, processes would have been ignored. Indeed, the Board would have been given “assurance” that all critical processes had been reviewed and were being improved (from a control and efficiency perspective), when it was clear that this was not the case, and that the CEO was missing critical business decision-making information, or that information was too old to enable effective and agile response, whether reactive or proactive.

 

If Covid-19 was relased from a lab...

The American government’s response to Covid-19 was a disaster, and if the “Lab Leak” theory was actually believed, then the response bordered on the criminally negligent. If the leak was intentional, the response was treasonous.

The “Lab Leak” conspiracy theory persists, and as there is no “proven” release vector, and the Chinese government has not been as open as it could have been, even I am forced to accept that it is a possibility. 

Of course, there are basically five potential paths here that the ‘release’ of Covid-19 could have followed:

1. A completely natural transmission between species in the wild (or int eh wet-market, etc).
2. An accidental release from a lab.
3. An intentional release from a lab.
4. Modification of the virus in the lab and accidental release.
5. Modification of the virus in the lab and intentional release.

The first two are effectively the same, as the release is of the native virus into the population, and the immediate source is irrelevant. 

The third and fifth are most worrying, as it implies the intention, but does not then confirm that it was something acceptable to the Chines government. If it was acceptable or done at the direction of the Chines government, then it was an act of war. Number four is a worry because it implies that the released virus could be more dangerous than the native version.

But, and here is the important point, if the US government has any evidence or reason to suspect that the release of Covid-19 came from numbers 3, 4 or 5, then the failure to effectively respond is tantamount to abandoning the American people. A vigorous response was needed, starting with stating clearly to the American (and world) people that a dangerous virus was released, that medical professionals and scientists were analysing it and determining the best way to protect yourself from exposure, and what to do in the case of exposure.

To downplay something potentially catastrophic was criminal. And 600,000, so far, Americans have died for that criminal neglect and deceit.

If the US government (and President Trump in particular) actually believed that the release was intentional and potentially of a modified virus, the response should have been fundamentally different.

An intentional release of a deadly virus would be an act of war, if it was aimed at decimating an adversary's population and economy. The response would need to be a national defence response, with the objective of halting the spread of the virus and protecting critical national infrastructure and command and control structures. In a shooting war, you do not tell your population that there is no problem and that you should not bother to support a national effort to respond. 

The Defence Production Act would be invoked almost immediately to produce the materials required to protect the population and prepare armed forces to support civilian efforts, and respond against an enemy if needed. 

Roosevelt did not tell America to carry on as before after Pearl Harbour, and Kennedy certainly did not mince words during the Missile Crisis. After 9/11, George Bush was famous for (not) saying “My fellow Americans, something bad happened in New York, and now Donald Trump has the tallest building, But don’t worry, very few people were killed (bigger numbers would make me look bad), and this will not impact you, so you can ignore it as a liberal plot to make us look bad”.

If (a big if) Trump and his cronies actually believed that the release was intentional (as a modified or natural virus) then basically that is what he has said. “We might be under attack, but as it will make me look bad, I’m telling you to ignore it”. 

Clearly, if scenario number five is the truth, and if there was any evidence to support that scenario, then the US would be at war with China. If an adversary were to engineer a virus and then intentionally release it (presumably after having developed some mechanism to reduce the impact on their own population, then that would represent a biological warfare attack. The fact that something is banned international treaty certainly provides no comfort or confidence that it is not or will not be done.

Therefore, if China did bio-engineer Covid-19, and did intentionally release the virus, then Trump’s failure to put the US on a war footing, to mobilise the entire federal government to the protection of the American people and allies, would be an unprecedented dereliction of duty. Furthermore, if the US intelligence community actually believed that to the case, then such information would have been shared with allies, to protect their people and to solidify an alliance against the perpetrator of a biowarfare assault on the world.

Yet none of this happened. Why?

Is Trump the greatest traitor in American history? Has he sold out the US to Putin and Xi? Or, more likely, is he simply the venal narcissist that he appears to be, surrounded by sycophants too afraid to disagree with him?

Any of those options are dangerous. Sure, he’s gone. But all those sycophants are still there, still rejecting facts, still hypothesising without basis, all to distract from his absolutely disastrous response. And they must distract, or the harsh light will fall upon them, and on their culpability in allowing 600,000 of their fellow citizens to die, so far.

Other countries reacted quickly, locked down, but kept the lights on. Leaders around the world listened to the scientists, tracked cases, isolated patients, quarantined individuals and cities. Took the hard decisions that leaders are expected to make.

Wonderful News: Republicans reject the 6/1 Commission

In the US Senate Republicans have blocked a bi-partisan investigation into the 6/1 insurrection. While some people are moaning and whining about the Republicans rejection of the Commission, I think this is great news. The Commission legislation as drafted should have been the Republicans dream commission. The bi-partisan agreement required agreement on which witnesses to call, who would get immunity, etc. The Republicans could have used that as an indefinite stall and pushed any meaningful results beyond the reporting date of the Commission. 

Republican leadership would have used the Commission to shield Republican lawmakers who are directly complicit in the insurrection, and would have hamstrung the Department of Justice, the FBI and other investigative agencies from doing their job. Even state-level investigations could have been impaired by Republican Senators and the Commission’s granting of selective immunity in exchange for testimony in front of the Commission, thus freeing these people from punishment or even a requirement to testify at the state level.

So not having those constraints on any Commission will be an excellent result.

Now the House Democrats can form their own Committee under their rules, and can compel anyone they want to testify, including former President Trump. Certainly, those who will implicate members of congress will be called, and will be required to testify under oath. Some may even be offered immunity for their testimony that directly accuses, not implicates, members of congress.

It is inconceivable that the invasion of the Capital on the 6th of January did not have support from and potentially direct collusion with some Republican members of the House or Senate. They need to be exposed, and they need to be charged. 

A Commission comprising, in part, a complicit subset of insurrectionists, with the ability to stop or delay testimony by those who will implicate them, is no Commission worth empowering.  

For example, Jim Jordan (“Gym” to me for his covering up the sexual abuse scandal when he was an assistant coach and the head coach was abusing wrestling students, who came to Gym for help, and who he turned away) is against the Commission. Why? Because he is a potential witness.

The Washington Post begins their article: “Several Republicans who oppose creating a commission to investigate the Jan. 6 attack on the U.S. Capitol are more than lawmakers making a public policy decision — they are potential witnesses to what former president Donald Trump and his aides were saying and doing as the mob laid siege.”

Even the House Minority Leader Kevin McCarthy (R-Calif.) would be a potential witness, to confirm the contents of his calls with Trump trying to get help, and being rebuffed by Trump.

The craven sycophants in Congress are running scared, and will until Trump is convicted in a court, or until individual congress members are convicted. And soon enough it will begin. And when they are charged, they will call it lies, of course, and their bases will, partially, either believe them or at least believe the lie that any alternative will be worse.

And enough will not believe them, and will stay home at the next election, if they are still in office and not in jail. But those who stay home will make the difference.

At the same time that the Democrat House of Representatives establishes their own Commission or Committee, the Department of Justice will be continuing its multiple cases against a wide range of people. This cannot be stopped by the Republicans, even though they will attempt to deride it as a partisan branch of government under the control of the Democrats. Logically this should be laughed at, as it will be pointed out that this is an acknowledgement that the DoJ under Trump was a politically partisan brand of government, but Republicans will spin that lie anyway. They can do that knowing that their acolytes either are too stupid to see what they’ve just done, or because they are too willing to believe that the “deep state” is Democrat and will be against anything that Republicans attempt to do.

Meanwhile, the little guys, and even the big-little guys, will begin to sing. They are already, we just are not seeing it yet. Enough of them were pulled into rooms and had the bright lights shown in their faces, with or without lawyers present. We won’t hear about it from the lawyers, since anything that they will be willing to say, grassing up their friends and militia-mates in order to stay out of jail will be with the approval of their lawyers to reduce their sentences. Not until the court cases. And then we will see the reports of who spoke with which members of Congress before the fateful day. Who knew what, and who encouraged what actions.

Because the little guys know they are going to jail unless they do deals. And some of them will be going to jail for a long time. Those that will only be in line for a short stint inside will also sing. This I said months ago, and I’m still confident it will happen.

In fact, when the Democratic majority in the House starts holding their own hearings, the little guys will be lining up to testify in exchange for some form of limited immunity. 

Meanwhile, at the bigger picture level, patience is the game. My main predictions from the 9th of January still hold: “First, the highlights. The 2024 Presidential Campaign will be fought by four political parties; the Democrats, the Republicans, the American Patriots Party, and the Libertarians. The split of the vote will be something not far from 55%, 25%, 10%, and 10%. President Harris will be re-elected in an Electoral College landslide that will eclipse Joe Biden's, and Trump's before him.” 

But it remains a waiting game. Mostly just waiting for the Republicans to continue to destroy themselves, and to leave traditional Republicans with no play to go, and no party to follow. The fiscally conservative, national defence and low tax voter will continue to watch the current Republicans spout treasonous crap while they lick Trump's boots (or wingtip shoes anyway). Trump will, at some point, have to dip into the $400 million that he scammed from people to pay to support his minions, even though supporting ‘down ticket’ (anything below himself) is not his style.

So with nowhere to go in their own party, they will either go to the Libertarians, or stay home. 

Ultimately, the rejection of the Commission by the Republicans was a self-defeating attempt to delay the inevitable, and I am thrilled.