16 December 2018

The US was invading Cuba in 1962, but turned back

In 1962, the United States almost invaded Cuba. Almost.

The story of the Cuban Missile Crisis has been told many times, and there is little I can add to the history, except to say that the US was in the process of starting the invasion of Cuba, and that the invasion was called off. The following was told to us in a “Sociology of War” class at the University of Maryland in about 1982 or 1983. The United States was going to invade Cuba, and that airborne troops were in the air and on their way when Khrushchev “blinked” and Kennedy de-escalated.

Our professor was also an active duty US Army colonel (who by the end of the semester, had been offered a star to command a tank unit in Germany). He had joined the US Army as an enlisted man, a private. He progressed through the ranks, completed his university degree and was commissioned, and later completed his masters. In his early years, he was in the Airborne. He said of his year in Vietnam “when I arrived, I sprinted under fire from the airplane to a shelter, and when I left a year later, I sprinted under fire from the shelter to the airplane.” None of us doubted him, and the ribbons on his chest certainly were those of a warrior. 

He was also a scholar, and was teaching us about the importance of preparing a society for war; that leaders cannot simply say “bad guys, we must fight them” and automatically have the support of the people in pursuing a war. Likewise, there are processes that must be followed, steps if you will, to disengage a society from a war footing.

While speaking about the processes of preparing a society for war, he spoke about the Cuban Missile Crisis, and how each step in the process played out. I do not remember all, but years later I was able to see those steps play out in preparation for the invasion of Iraq in 2003.

He told the class that the official story was that the US was not about to invade, but that it would if there was no back down by the Soviets. As tensions rose, Kennedy stood firm and imposed the blockade on Cuba. All of this is well depicted in the film about the crisis, Thirteen Days

What that movie does not show is US airlifters flying from bases in the southern US toward south Florida. The Colonel told us that his unit had, on numerous occasions before the crisis, and at short or no notice, been mobilised and loaded onto aircraft and flown toward southern Florida, only to be diverted either back to their original base, or to another base in Florida. This was all about training and readiness.

At the height of the Cuban Missile Crisis, something different happened, that convinced him and everyone on the airplane that they would be landing in Cuba.

Loading an airplane full of troops is not unusual, nor is ensuring they have all the support materials, ammunition, radios, maps (yes, paper maps) of potential landing areas, medics and their basic equipment. They were used to this. And so there was the usual shuffling and grumbling about flying around for no good reason. Where would they end up, or would they just end up back at base in 10 or 12 hours? 

What they did not expect, and had never happened, was that this time the medics brought the plasma on board with them.

Plasma has a shelf-life of well under 24 hours if not frozen, and when thawed, the usable life at room temperature is 4 hours. “Fresh frozen plasma is stored in approved freezers at less than -30°C.  It is thawed just before use (a process which takes up to 30 minutes) and once thawed, must be infused within 24 hours if kept at 4°C (or 4 hours if kept at room temperature).”

This had never happened. Plasma is too valuable to simply throw away when the airplane is turned back. The only reason they would bring the plasma on board, the Colonel told us, would be if there was a very real expectation that the medics would need to use that plasma.

This was important, and was a clear signal to everyone on the airplane that they would be landing in a potentially hot situation. They would not be landing in Florida this flight, they would be landing in Cuba.

All the grumbling stopped; all the wondering stopped. Everyone on the aeroplane new they would see combat by the end of the next day. Their sergeants had always told them that until the plasma is with you, you aren’t going into real combat.

The United States was going to war, and the invasion of Cuba was in progress.

We know now that Khrushchev “blinked”. We also know that part of the “blinking” was an agreement by the US to remove its Jupiter nuclear missiles from Turkey. So much is known about the Crisis. The story above was new to me, and I have not seen it told anywhere else; that the United States was already “in the air and on their way to Cuba”, and the American troops were going to land in Cuba.

11 December 2018

I Bless the Rains down in Panama

I’ve said that Panama has four seasons: Sun Glorious Sun, When will it every Rain, Rain Glorious Rain, Dear Lord when will we see the Sun. The dry season is hot and dry, and the fields and roadsides are burned casting a pall of smoke over much of the country. We are entering the dry season now (December) and it will be Sun Glorious Sun for the next three to four months.

By then we will be wishing for rain, to clear and damp down the dust, and to bring green back to the city and countryside.

When the rainy season does arrive, it will rain more each month for nine months than the highest precipitation months for London in the UK. Or to put it another way, for only three months of the year will the rainfall in Panama City be less than the highest monthly rainfall in London.

The rain in London pokes at you, for hours, with cold little stabs all over any exposed skin. It is also driven by the breeze or wind, so it hits you sideways and does so all day long. It is as if God poured a jug of cold water over you and then sent it around and around in the wind, to hit you from every direction. Certainly, London has downpours, the wonderful April Showers to bring May Flowers. But mostly, the rain is a long drawn out affair, and once it starts you know that the day will be spent indoors if at all possible.


Panama City rain is different. It is tropical rain. The best description that I have is that God drops a dumpster full of water onto you. It crashes down for 30 – 45 minutes, then stops. Except of course for the deepest part of the rainy season, when all you really want is a few hours of sunshine.


Let's look at what that means. The upper photo was taken during a rainstorm. Not a terribly strong storm, as you can actually see the buildings in the background. The lower photo was taken a few hours later when the rains had cleared. In a very strong rain, none of the buildings in these two photos is visible.


The test questions for a Panamanian driver’s license give a clue to the impact of the rain. When studying for the theory questions, there is a set of sample questions available online. One of the questions stumped me:

What is the impact of heavy rain on your car?
A) You drive slowly
B) Your car stops
C) You drive with your emergency lights on
D) Watch for other drivers

I was stumped. Well, yes, driving more slowly makes sense, and certainly watching for other drivers is important – critical in fact. Emergency lighting makes a lot of sense with the intensity of the downpours. But no, the right answer is B) your car stops.

At face value that just doesn’t make any sense.

My car, well, any car I’ve owned, can drive perfectly adequately through the rain. And why would my car stop just because it is raining. 

The real meaning of answer B) is that the roads will flood, and any lower land or poorly draining areas will flood. And they will flood quickly. While the municipal drainage systems are reasonably good, the volumes of water simply overwhelm them, and very quickly some of the key roads will be a couple of feet (most of a meter) deep with fast flowing water. 

Here is how your car stops:




Yet for all that rain, the most wonderful things about it are that the rains clear the humidity (for a short period) and the rain is not cold, though it does take the heat out of the air. It a real pleasure to sit on a balcony during a rainstorm and be able to stay dry and cool.

05 December 2018

Panamanian Real Estate, the Central American Lobster Pot?

When looking around you in Panama City, it is impossible to miss the incredible number of skyscrapers and to miss the cranes and new skyscrapers that are under construction. Panama City ranks as number 21 in world cities with the most skyscrapers over 150 meters in height, with 50 such building, so far.

This is pretty incredible for a country with a population of just over 4 million, and a city with a population, if you include the entire surrounding area, of 1.5 million people, and a national GDP per capita of $22,000. This ranks Panama at number 80 in GDP per capita. Yet this clearly is not the case in the city and country. Average GDP is not $22,000 when wages for most workers range between $400 and $800 per month (with a "13th month" built-in bonus). 41% of the Panamanian workforce has not achieved even a high-school level education, a prerequisite for a growing knowledge working economy that can also sustain a consumer-driven economy.

Multi-year empty CBD office space
Yet there clearly is money sloshing about, or at least there was. Many of those very tall buildings are residential towers, with at least one being 62 floors with a swimming pool on the roof. Yet looking at those towers at night and counting the lighted floors, and it appears that the buildings are 30% - 40% occupied at best. 

The same situation holds true for office and commercial real estate (right), at least at the middle to higher end. A nearby building, with 24 floors of office space, has had at least 9 of those floors empty for the past 18 months or longer. In all probability, those 9 floors have never been occupied. Yet the building continues. The photo at right was taken early in the morning to clearly show the empty floors, with the sun shining through unimpeded by furnishings, partitions or internal walls.

Construction represents just under 20% of the Panama economy, a level that cannot be sustainable over the longer term. Yet that construction boom has continued year after year.

All the way back in 2007, Reuters reported that, even before the full impact of the Global Financial Crisis (GFC), Panama City was on track to bring more apartments onto the market than Miami in the 1995 - 2005 decade; over 11,000 units by the end of 2010. Not all of those units were built, but many were. And while the GFC certainly slowed everything down, building picked up again. Between 2017 and 2019, over 8,500 new apartments are expected to come to market.

Who is buying these units? In a city in which huge numbers of people live on the minimum wage of $2.50 (average) per hour, feeding the family is more important than aspiring to live in a high rise. Even professionals earn is the range of $1200 per month. 

So "average" people are not investing in these apartments and commercial buildings. But someone is.

Google Maps, 2018
Look at Panama's location on the map, sitting between Costa Rica to the west/north and Colombia to the south. Noriega was overthrown, officially, because he decided to participate a little too actively in the drug trade, instead of helping the Americans to stop that trade. Admittedly there is more than a little evidence that he worked with the CIA and others to ensure that drugs reached America. Yet when the Americans decided to remove him, it was not for his rejection of the "School of the Americas" (for training right-wing governments and their security forces in counter-insurgency and "public order"), it was because he refused to stop the drug traffic. The cultural and emotional scars of that invasion remain.

Noriega was a small-fry, and the drugs were going to come from Colombia and Peru no matter who was in power in Panama, and those drugs were going to, and continue to travel north via Panama and Costa Rica and other countries in Central America. And the resulting drug money needs to go somewhere.

We were recently informed of a finca (farm or undeveloped country land) for sale - hundreds of hectares. Literally a few kilometres along each boundary. Who was selling it? "Oh, he's a narco from Colombia" we were told, completely matter of factly. (we were looking for 4 - 5 hectares, not 500+ hectares).

For a narco, like any investor, the choice is pretty simple; do I concentrate my investments in one sector or one country, or do I diversify? Panama, and Panamanian property and construction provides a good diversification opportunity that is not under the control of the Colombian or American governments.

But not all the money parked in Panama is dirty. If you lived in Venezuela in the 1990 and early 2000s, it was a rich country. And there were many rich Venezuelans. There still are, though far fewer. But those that are still rich saw what was coming and moved some of their assets out of the country. Where did that money go? Certainly, much of it arrived in Panama as investments in residential property, and specifically in the new towers that were going up all along the Ave Balboa and overlooking the Pacific Ocean. 

"Clean" money, for the same reason, has flowed in from Colombia, Brazil and Argentina. Panama is a "safe" place to put that money, where it cannot be seen by your home country government (this might change) or by the Americans, who are trusted by no one in Latin America.

The downside for these investors, clean and dirty, is that there needs to be a market into which they can sell the asset, otherwise there is the risk of a "lobster pot" economy. It is easy to get in, but almost impossible to get out. Yet as most investors are looking for somewhere "safe" to park their money, Panama continues to appear to be a good place to park it. The economy continues to grow, albeit at a slower pace at the moment, and investment opportunities in commercial and high-end residential real estate abound.

Yet one day the government of Venezuela will fall and be replaced by a government that actually seeks to grow the economy by encouraging a functioning market economy. When that happens, Venezuelan money parked offshore will attempt to come home. That will mean selling assets outside of Venezuela, which will include property assets in Panama. We are already seeing examples of individuals seeking to sell, and it looks ugly.

Overheard was a conversation in which a gringo was lamenting the difficulty in selling an apartment bought seven or eight years ago. While background prices of property investment have increased for new-builds, existing high-quality properties cannot sell. This gringo was looking at selling for almost 20% less than the seven or eight-year-old purchase price.

This story is hardly unique, and while the likes of "International Living" and many gringos in Panama continue to laud the country and residential property market, the "lobster pot" continues to trap lobster after lobster.

For some people that will be acceptable - better a 20% loss on an investment in Panama that a confiscation of 100% of the asset in Venezuela. Likewise, such a loss by a narco is still an 80% retention of gains from the production and sale of an illegal product - drugs. Money laundering always costs a higher premium that moving clean money.

Still, the money flowed in, an almost constant river of money through the 2000s and 2010s. But last year (2017) the flow began to slow. What happened?

It seems, though I have no evidence to support this, that Venezuelans have simply run out of assets to get out of the country, while at the same time, Colombians, with the peace deal with FARC, have found home a safer place to invest. Argentina is back in crisis, and has spent so long in various crises that any easily movable financial assets have probably already found homes outside the country. If the crisis continues, there may come a time when Argentina actually becomes a magnet for investment.

Anecdotal evidence (that means someone close to the industry told me) suggests that in 2018, construction permits for new construction in Panama City are down by 50% on permits issued in 2017.

Does this foreshadow a squeeze in available properties, or saturation that will require a correction to soak up excess capacity? I do not know the answer, and there are probably three answers for every two people in Panama that you ask.

So to come back to the original point, the money in Panama is not coming from organic growth, but from external investment. Unfortunately for Panama, that external investment is in large part going into construction, and therefore is building wondrous high-rises and commercial property. It is not building the foundations for a self-sustaining economy. Cut off the foreign construction investment, and there is inadequate local demand or debt servicing capacity to replace the construction industry job that will be lost.

A country in which 41% of the working population does not have a high-school level education cannot sustain a "knowledge worker" economy or an economic pyramid. An upturned drawing pin (thumb tack) economic "pyramid" cannot sustain a construction based economy without a consistent and continuous flow of inbound investment.




29 November 2018

Risk Management is all about Choosing; Sometimes it is Personal

About three months ago, a dear friend was diagnosed with a serious condition. At some time, a medical intervention would be required, either major surgery, or potentially keyhole surgery. He, with advice from his specialist, had to choose; surgery now, or monitor the situation and plan surgery at a later date. There were many reasons that either choice would have been acceptable – get the surgery out of the way quickly to reduce the risk of a catastrophic event, or wait six months until the family was in a good position to be able to handle the disruption.

The condition could manifest itself any time, or might not for a few years. What should be done? If they agreed to go ahead with the surgery immediately, then it would probably take six to eight weeks to schedule the surgery, and only the major surgery option would be available.

In weighing up all the factors and eventualities, his specialist suggested that the situation be monitored, but that if he had any events that were of concern, to contact the hospital immediately, and they would schedule the surgery, major or keyhole depending on what was happening or required. With other factors in his family life at that time, a delay would have been best, as long as the doctor felt it was safe to do so. He chose to delay. He also choose to "mitigate" through continuing his exercise programme, and ensuring he was as fit as possible.

Risk Management is been defined in many ways, as has Risk itself as a concept. ISO31000 uses the very bland “effect of uncertainty on objectives”, while my own definition for the past 25 years has been “the possibility of something bad happening, or something good not happening”. Of course, risk by itself exists in everything we do, and in all the decisions and choices we make, as individuals, companies, families, cultures and countries.

But that misses the primary point of Risk Management. There is too much talk of supporting decision-making, providing insights, developing or supporting the development of risk appetites, and on the list goes. But what Risk Management is really all about is “choosing”. When we remember that the decision to do nothing is a choice, as is a decision to do something, then we get to the heart of what is Risk Management, and that is the very act of choosing, to do something or to do nothing, in an informed manner, with intent and with expectation of the choice made delivering a more desired and desirable outcome that the alternative choices.

Is there a role for fate? Of course. After all, it is not possible to influence all choices, or even to identify the full range of choices that must be made. It is, however, the proactive choices that prepare for the potential for fate to intervene, that can influence the severity of the results and impact. 

We can look at this from two directions. In order to make an effective decision, all risks and rewards need to be considered and Risk Management is instrumental in assisting with that decision making. Looking from the other direction, Risk Management should only be providing support to enable those with the authority and responsibility to choose. Therefore, if there is no choice, then does Risk Management have anything to offer (in this particular case) and should Risk Management then be focusing on where choices must be made?

This feeds directly into the prioritisation of Risk Management attention, to focus on the areas that require decisions. Yet how does Risk Management achieve that? Unfortunately by looking across the spectrum of potential choices and attempting to assess which of those meet the following criteria:

  • Biggest impact (positive or negative) that may result from choosing
  • Criticality of the timing of choosing
  • Underlying longer-term impacts of not choosing
  • Level of authority required to choose


For each of these criteria, any risk (or control, and yes there is a relationship to internal controls and Internal Audit here) needs to be considered, at a level of attention commensurate with the balance of the four criteria. Operational level decisions (choices) should already be subject to appropriate oversight and consideration, and probably are not the most effective allocation of Risk Management resources, while the processes of consideration and authorisation of those operational choices at the senior level may be of considerable interest. The processes (and resulting choices) for determining and confirming delegations of authority will have lasting impacts on the culture and associated effectiveness of decision making.

Six weeks after choosing to delay the surgery, “The Event” happened, and my friend very nearly died. He is recovering, after truly heroic efforts of a simply magnificent surgical and ICU team. He has a long road to recovery ahead, but he will make it.

Had they decided to go ahead with the surgery at the time of diagnosis, in all probability the event would have happened before the surgery could have been scheduled.

So was the choice the right one? How can we know? We do now know that his fitness (a choice) and effective diagnosis before the event (another choice) ensured that when the event happened, he was physically most able to sustain the terrible damage. We also know that with the diagnosis, the emergency services were able to get him from the local hospital to the best specialist hospital in the country, immediately.

The Risk Assessment in this entire situation was the identification of the potential problem through effective diagnosis, and a defined and agreed treatment plan. The choosing was when to intervene, and this was the Risk Management.


19 November 2018

Checkpoint: 115 Months of recovery, where are we?

In February 2018 I noted that the recovery had reached 105 months (I must have been off in my count, as the WSJ today calls it 115 months so far, with the longest in US history being 120 months), and asked what could end the recovery. I listed nine possible scenarios that could crack investor confidence sufficiently to cause a sustained market downturn or crash. How have those nine held up over the past ten months, and has the level of risk increased or decreased?

If we should take any lesson from the passage of the past 10 months, it should be that we are closer to the storm, not that we have avoided it.

There has been, with the US mid-term elections, both a reduction in the level of risk and potentially, a major increased risk event. More about that below.

As a recap, the nine potential issues (one removed, one added) that could bring about an end to the US recovery include:

  1. Interest Rates;
  2. Inflation shock; 
  3. Budget deficits;
  4. External Shock;
  5. Housing market;
  6. Automotive Loans default rates; 
  7. Credit Card delinquency rates;
  8. Environmental event; 
  9. Mid-term elections


After years of single-direction trajectory for the markets, the February correction jolted people from their complacency, but concerns were short-lived as the markets recovered and eventually reached new highs in early October. Then there was the October market shock, and now it appears a post-election bump.

Being very clear, I still do not know if the top has been reached, or is there more headroom in this market. I have no idea. None. Also being clear, while the discussion focuses on the US markets, there is nothing in here that either does not have or is not impacted by events and economic situations in other countries.

If the markets continue their advances, how far can they go, and for how long? Is the US in the "demographic sweet spot" that I wrote about in August 2017? I asked if the fall in the US labour market participation rate had been strong enough to create sufficient pools of surplus labour to allow for multi-year growth as that surplus labour drip-feeds into the workforce. If it is, then there may actually be a few more years of growth in the economy and the markets. If not, then the third longest recovery in US history may come to a sudden end.

So having presented all the caveats that matter, the question remains; when will the recovery end, what factors could cause a market rout, and how close are we to that happening?

Interestingly, almost all of the nine catalysts has deteriorated over this year, increasing the chances of any one of these reaching a tipping point, and with contagion, bringing about a multiple Black Swan event stream.

In February I wrote “Most important, there is not one situation that will cause the coming crash, and all are interlinked and interdependent. Each can, and probably will, impact and potentially exacerbate another or multiple others.” That assessment remains true, and the deterioration of each potential catalyst since then has only increased the probability of such contagion.

Below I look again at each, with a potential update on the current situation.

1. Interest Rates: Fed rates hikes have continued through the year, and there is an expectation that there will be another rate hike in December 2018. I predicted that the Fed rate would continue to rise, and it has. More importantly, the 10-year Treasury, hovering then around 2.9% up from a low of 2.06% only six months previously, is now in the 3.2% range, and will go up further with additional rate hikes. Eventually, returns on “zero-risk” assets will move closer to the returns that can be expected (minus the desired margin for risk) from risk assets. When that happens, there may be a flight to Treasuries. There continues to be the additional risk of tipping point in consumer credit growth due to increases in interest rates. Interest rates remain a potential cause of a sudden drop in confidence.

2. Inflation shock: While the years of QE, QEII, Twist, Abenomics, and ECB purchases did not create the inflation shock that should be expected from too much cash chasing too few assets, there are signs of inflation beginning to creep in – in employment costs. Surplus labour is being consumed, and the dearth of skilled workers is beginning to be felt. While demographically the US may have a deep lake of workers waiting to return to work, the decade of reducing participation rate has stripped many of these workers of skills that are required in an economy that has changed so significantly in that decade.

3. Budget deficits: the official 2018 US federal budget deficit is $779 billion, and has jumped 17% since 2017. This, of course, is not the actual US federal budget deficit and total borrowing by the federal government, because it only includes “budget” items, and does not include a wide range of additional spending that has resulted in the US federal government actually borrowing $1250 billion. A Congressional Budget Office projection stating that servicing of the national debt will exceed 8% of the 2019 federal budget (from a current 6% of the federal budget)? As interest rates increase, so does the interest payment obligations of the US government. At some time, there will be a confidence shock related to the budget.

4. External Shock: In the past 10 months there are been plenty of External Shocks, and defying expectations, none seem to have actually impacted levels of confidence in the US economy (and it is the US economy and markets that will crash the rest of the world). Turkey has crashed, as has Argentina, and Venezuela continues to perform to form. Equally unsurprising, there has not been a war with North Korea (not that there ever was going to be a war with the Norks – and yes, The Donald was played like a cheap fiddle). 

Yet potential external shocks remain, and the most “predictable” today include the Italian budget, Brexit, and China. None is a war, but we shouldn’t discount the possibility, with Iran being vocally belligerent (with the threat to Oil supplies and price) after the imposition of the extremely harsh sanction by the US, and an accident could spike tensions in the South China Sea at any time. Extreme but highly unlikely events might include the fall of the current Crown Prince in Saudi Arabia and an associated short civil war.

5. Housing market: The US housing market is turning, even though it has had a very strange 6 months, with months of good starts, contacts and completions for both new and existing homes, and months of badness in the numbers. The latest information suggests that optimism is gone from the market. Optimism drives the market, as without consumer optimism major purchases, and a home is one of the largest purchases most people will ever make, will be postponed. 

6. Automotive Loans default rates: This is one area where the numbers appear to be improving, with auto loan default rates reducing marginally in the previous quarter. Current default rates are increasing, and the total outstanding loan period is also at a record high. In 2018 the most common car loan term was 72 months, and average new car loan monthly payments have reached a record high of $531/month. In addition, over 30% of used car trade-ins are under water. Combine the two, and the consumer is likely to become trapped in the vehicle they are in, and with that trap will come a reduction in car sales, and an expectation of future poor performance by the automotive section.

7. Credit Card delinquency rates: The American binge on consumer credit continues, and in fact never really stopped. Net savings rates are at historic lows of around 2% (average across the entire economy) while credit card debt continues to rise. This is unsustainable. However, so far delinquency rates are not rising, and remain cyclically low at around 2.47%, and in fact remain lower than before the GFC.  None the less, with consumers continuing to splurge on consumer debt, it is only a matter of time before delinquency rates start to climb again. 



8. Environmental event: In a strange twist, the hurricanes and fires that have caused so much damage and misery across the American south and west are now beginning to show up as increased economic activity. The latest retail and home improvement sales have shown a nice jump, probably due to rebuilding activity. Unfortunately, like wars, this is false economic growth, as the country and the people spending the money are paying to return to something less than their pre-event status.

9. And, the Mid-term results: And of course there is now the new situation that could result in longer term (18 months at best) stability, or could result in a US national trauma that spills over into markets and globally; the Mid-term results. It is a given that there will be investigations, indictments, and quite possibly an impeachment, or at least the start of an impeachment process. We will enjoy the drawn-out process of the President attempting to keep his tax returns secret, and fighting subpoenas all the way to the highest court, if he can.

We will also see any market setback being blamed on a Democratic House refusing to go along with his additional tax cuts. A government shutdown is also possible.

One thing is certain, legislative gridlock and a shutdown in the passage of meaningful legislation to help the economy.

Whatever the trigger, when the fall in the markets come, it will be steep and quick, followed by months if not quarters of a cyclical bear market. And while I am writing based on the US economy and markets, the same issues highlighted above are true for so many economies, and any individual large economy could provide the trigger for a global rout.

19 October 2018

Watch the Backup Tapes - Yes, Really

A few weeks ago I was standing in an office when one of the IT people walked through. He was on his regular walk to deliver backup tapes to the "off-site" location, and this also gave him the opportunity see if he could trouble-shoot an issue for a senior exec. And there they were, backup tapes, just sitting unattended on a desk, as Mr IT was at the other end of the floor looking at the laptop. Yes, the data could have been sent across electronically, and certainly, the company's major systems are all automatically backed-up with almost constant checkpoints. Those systems can be flipped from the primary production to the back server farm in a matter of minutes.

But back to the backups; what was on those tapes? What would have been the impact on the company if the tapes disappeared? Source code? Customer data? Test scripts? Downloaded movies? Confidential emails?

After all, the tapes are a standard format, and the operating system is standard, so there would have been a minimal challenge to recover everything from those tapes. 

Sometimes we see "non-critical" systems continue to be managed as stand-alone environments, disconnected from the corporate environment, and most especially from the automated backup world.

I was tempted to pocket one of the tapes and see if he noticed it was missing. As there were only two tapes, or the cartridges that replaced "tape" decades ago, I was pretty confident that he'd notice. Cheap joke, not worth the effort.

But it did remind me of a blatant demonstration that I had to give a General Manager almost twenty years ago. Because sometimes a such a demonstration is what is needed to make the point. This is especially true with backup tapes.

We were (internal) auditing a subsidiary of a telephony company, and were in their Auckland office. The subsidiary was building a new product for corporate clients, enabling the clients to take a single file of all telephone data, already data-cubed and with a set of associated software to allow multi-dimensional analysis of that data. All very cool for the time. 

The systems ran on a small set of servers, actually just very powerful under-desk PCs, up-configured about as much as was possible in that day. And as this was a subsidiary and not integrated into the telephony company, the servers were of course in a room in their offices in the Auckland office building. And of course, one of their main programmers also worked in that same cubbyhole of an office.

Furthermore, the backup tapes were kept in the drawer of the desk next to the computer. The door to that room was of course locked, I was told, even though the door stayed open all day. At night, when the programmer left, he closed the door behind him, and then unlocked it to get back in the next morning.

By the end of the audit, we had our draft report and findings completed, and we were ready to present these to the General Manager. The only time slot he had was after hours, so we sat down with him at 7pm to go through the draft report and findings.

If there is one thing that I've learned about auditing, it is that the enthusiastic nodding of the executive is as frequently faux-agreement so that you will just go away as it is agreement to fix the issue, no matter how trivial. In fact, the more trivial, the greater the chance that the nodding will actually be a "please go away" message.

We were not getting any of those messages until we got to the IT Audit findings, and then the nodding started. The issues were outside his area, and he didn't understand the issues, their severity or the what effort would actually be required (all issues had been cleared with the IT people first of course). So he entered "thank you for these very helpful findings, please go away" mode.

Being fair, most of the issues were fairly minor, but I knew that a demonstration was needed. Something to make sure that the next morning, he would actually call in the IT people and get the issues, if not resolved, at least on the agenda for resolution.

When it came time to talk about backup security, I stopped, stood up, and excused myself from the room. "Pardon me, I'll be right back", and walked out...

...down the hall to the IT office/cubbyhole...

...Opened the door (that I had unlocked earlier in the day, guessing that the programmer would simply pull the door closed behind him when he left), opened the desk drawer, and walked back down the hall to the General Manager's office...

...where I put a box of tapes/cartridges in the middle of the table and said "these are your backups. If these were to fall into the hands of our competition, this product will no longer be commercially interesting, as our competition will be providing the same service within a month. Furthermore, if there is a fire or other reason this floor is not accessible or damaged, these tapes and your primary server will be lost."

I had to explain to him that the tapes were in a box where almost everyone could get them, and it would have been frighteningly easy for someone to simply replace a tape with an empty one, and walk out with a complete backup of the code, customer data, and effectively the entire product.

They were also kept right next to the machine that they backed-up. Lose the room, lose the computer, and lose the backups at the same time.

Of course, the IT guys weren't thrilled with me, but they suddenly did have the budget to install an electronic back-up to the main telephony company's computer centre and backup environment.

The lead auditor on the job was also shocked, though mostly because I hadn't warned him.

It is easy to become complacent, thinking that technology has come so far, that the silly things we allowed to happen years ago cannot happen today. Yet there is another less we should take; IT governance is first and foremost a people driven set of processes, not technology processes - technology allows us to make those processes work more efficiently, but they remain human processes. And no matter how much technology has progressed in the past twenty years, the human remains fundamentally the same.


28 September 2018

The allegations are not the issue, character is the issue

Yesterday I watched the Senate confirmation hearings for Judge Kavanaugh. I watched both his accuser's testimony and questioning, and his. I believe her. I don't believe him. But let us be very clear, there is not enough in the "she said, he said" for this to go to court. In addition, the desire to stall is a reasonable political manoeuvre. But that is not the issue.

The issue was what this exposed in the character of the nominee. What I saw yesterday was a political hack making the allegations part of a vast left-wing conspiracy by the Democrats to undermine the United States of Amerika. "Revenge" for the Clintons. Payback for the 2016 election. While the third might have, tangentially, a hint of truth, the first two are the work of a partisan and hateful mind, following in the Trumpian steps of telling the lie and keep telling the lie.

Kavanaugh demonstrated his character yesterday. He proved that he is not, and will not be a non-partisan judge on the highest court. He proved that his first question, even if only to himself, will be what political party is represented by either side in a case before the court, not the merits of the arguments from both sides in each case.

Yesterday we saw a Judge become a Republican Judge, who will ensure, regardless of the merits of any case, that the Republican position is upheld. 

It also became very clear, that this White Privilege Man will extract Revenge on those that called his name into question. He will place a lens of "left-wing conspiracy" over every case before him. And he will explain how he has been called by God to defend Amerika from the Clintons.

The man showed his character, and in so doing confirmed that the allegations did not matter. He will be a Supreme Court Judge, and Amerika will have taken another step toward the destruction of the Republic.

God Help Amerika, because the Trumpian Republicans will not.

20 September 2018

A Selection of Risk Management and Internal Audit Posts

Over the past year, I have posted a number of articles relating to Risk Management and/or Internal Audit. the objective of these has been to focus on the practical yet strategic, and not on individual risks or reporting standards. A selection of those articles includes:


  1. Strategic Audit or Strategic Auditing, and horror story
  2. Risk Geography and Waterfalls
  3. Delegations of Risk Authority
  4. Inherent and Residual Risk is Inadequate; What is the Appetite?
  5. What about your Target Risk?
  6. Single Points of Failure (SPOFs)
  7. Risk Quantification and Physics Envy
  8. Three Lines of Assurance
  9. Beyond Three Lines of Defence; Risk Management and Internal Audit
  10. After 22 years, InfoSec remains important
  11. The Importance of Emergency Lighting; a cautionary tale


Strategic Audit or Strategic Auditing. The ability to perform audits or strategy, or to perform strategic audits it a critical element of successful Internal Audit. The willingness and ability to report the findings and recommendations requires courage; something too often lacking. I provide a specific example, that I believe contributed to the fall of a very major financial services company.

In Risk Geography and Waterfalls I discuss a simple methodology to add to your suite of risk identification and assessment tools, and how the use of Waterfall diagrams can reduce the likelihood of missing important risks. We've used this to some success, and the direct linkage of risk identification to the critical income and expenses waterfall improves coverage. Bringing the right people to the table is facilitated by this methodology, further improving risk identification and assessment.

Delegations of Risk Authority: Too often we hear people say "We've accepted that risk" when what they really mean is "this is too hard; either I'm not able to explain it adequately, or I know remediation costs won't be approved, so I'm not going to try". Just as companies have Delegation of Financial Authority, so should there be a Delegation of Risk Authority. This article discusses this in more depth, and suggests are way forward.

Inherent and Residual Risk is Inadequate: What is the Appetite? Too often the practice of internal auditing, when performing risk assessments, looks at Inherent Risk (the level of risk before any remediation) and Residual Risk (the level of risk after remediation. This is inadequate and forgets one of the most important aspects of Risk: the Risk Appetite. Without understanding the agreed Risk Appetite, Internal Audit risks imposing its assumptions of what the Risk Appetite should be, not what Senior Management and the Board have agreed.

What about your Target Risk? following on from assessing the Inherent and Residual risk levels, if you do not know what your target risk level is, you will not know if your controls are effective, you will not know if the investment in remediation is appropriate, and most of all, you will not know when you have reached a level of control that meets the Risk Appetite of Senior Management and the Board.

Single Points of Failure:  While not a Risk Management or Internal Audit issue specifically, SPOFs (Single Points of Failure) are probably what will take the company down, at least for a short time. Yet these are also the area where you will probably see the most examples of "we've accepted that risk" from people with no authority to accept such risks.

Risk Quantification and Physics Envy: There is no question that the quantification of the potential negative (and positive) impact of the actualisation of a risk can help to clarify thinking, and support activities required to manage the risk. Yet quantification can also be a waste of time, and can be used to create rubbish results that mask as science. Poor quantification and simulation are easily as bad as or worse than poor subjective assessments.

Thr
ee Lines of Defence: The preferred model of various financial regulator and that has been embraced by the Insititute of Internal Audit, provides a sound framework, as long as we recognise that all lines of defence provide assurance. These two articles address the importance of Assurance from all three lines, and the linkage between Risk Management and Internal Audit.

Three Lines of Assurance:  It is time for a fundamental shift in the thinking about the concept of Three Lines of Defence and the value that Internal Audit and Risk Management deliver, and an equally fundamental shift in the role of management in the delivery of assurance and value creation. Over the past decade, the role of provider of assurance to the Board has been defined by the Internal Audit profession, and enshrined in the IIA's presentation of the Three Lines of Defence (TLD) model. That presentation of the TLD model and the associated assumption of who provides assurance undermines the responsibility of professionals across businesses, and presents an overt statement that management is not to be trusted. As such, it is time to review that model and introduce new thinking.

Beyond the Three Lines; Risk Management and Internal Audit: This article is focused on the relationship between two elements of the Three Lines; Risk Management (in theory 2nd line) and Internal Audit (the 3rd line). These two lines of defence provide Directors, the Board, shareholders and stakeholders with confidence that the system of internal controls is functioning effectively, that risks are being identified and managed, and where appropriate, accepted or assumed deliberately.

Meanwhile, some stories never get old, and those tend to be around the practical, head-shaking events that we remember, but that could well manifest themselves again.

22 years later, and InfoSec remains a problem. In fact, it is probably a much bigger problem. How to convince the IT Manager that he really needs to take security seriously? Sometimes it takes a practical lesson.

The importance of Emergency Lighting. Have you ever been in a situation where you were simply bumbstruck by the lack of thought that went into a potentially life threatening situation?


15 September 2018

Strategic Audit, Internal Audit's Five Legged Sheep

A little Strategic Audit horror story.

One special treat as a long-term Risk Manager and former Internal Auditor is to see the "latest" slide showing the "Auditor of the Past" and the "Auditor of the Future". I enjoy looking to see if the slide has changed in any material way from the same version twenty years ago. Sadly the slides never change, which either means we have still to reach the future, or that anyone who has been in the industry long enough recognises aspiration in the face of reality. I also like to see some of the perennial entries for the "future":



  • Auditing Strategy (or being a Strategic Auditor),
  • Greater use of technology, and
  • Being a pro-active communicator

Of course the list goes on, but for now, I want to focus on only one of these: Auditing Strategy or being the Strategic Auditor.

The total list is laudable and always has been. The list is also, primarily, a recognition of the capabilities and facets of the people in Internal Audit, our expectations of those people even knowing who and what we have put into those positions, and the value (and price) that the Executive and the Audit Committee are willing to pay for those skills.


Internal Audit is overhead, and overhead is something that is always on the block. But this particular overhead can lead to problems if it is not effectively managed. As an overhead, the desire is constantly to maintain or reduce the cost of the function, to reach that nirvana of low-cost, high-impact internal auditing. Sometimes this is achieved by seconding people from within the business into Internal Audit for a period of time, before returning them, up-skilled, to the business. Sometimes this is achieved by simply hiring cheap and young, all the while expecting professional depth, industry knowledge, and maturity in communication - both written and verbal.


Strategic Audit

We must recognise that to audit strategy, one must be a strategic thinker and must have a depth of profession and industry knowledge, and yes, enough years to understand trends and five (and longer) year business plans and decade-long business cycles. Auditing strategy requires direct experience with strategic planning and the business' own strategic plan, as agreed by the Board of Directors. It also requires a depth of understanding of markets, product lifecycles, customer expectations and potential market entry and exit obstacles.

Mostly, the Strategic Auditor must have the courage to ask Strategic Questions, not just questions about strategy and the strategy process, and the courage to communicate unwelcome messages.

The expression in France is that we are looking for the "five-legged sheep".


Reviewing Internal Audit - where's the Strategic Audit?

I remember performing the EQA (External Quality Assurance) review of the Internal Audit department of a large financial services company. Was Internal Audit complying with the "International Standards for the Professional Practice of Internal Auditing"?


I reviewed their plans (departmental and individual audit), the communications with the Audit Committee, individual audit reports, and walked through sample internal audits from the planning to reporting and follow-up. Their methodologies were sound, and from a compliance with the Institute of Infernal Auditors standards, they were mostly in compliance. To all appearances, this was an effective Internal Audit function.


But there was something about the function that worried me. I even remarked to a colleague that this was a fantastic 1990s Internal Audit Department (this was in late 2011). 

Eventually, I figured out what was making me so uncomfortable; There was no "Strategic Audit" concept in their plans, mission or actual programme. Financial Audit focused on the financial processes and statements, while Risk Management Audit looked at trading systems and trading activity in detail, or as much detail as they could. IT Audit was well staffed, as should be expected for a financial services firm, especially one with "over 100 trading platforms".

Wait, did I just say "over 100 trading platforms"?

This financial services business had grown through acquisition, and actually performed and delivered services through the common company and through a network of purchased but poorly if at all integrated companies. While every trade and every transaction was performed by the core company, actual trades were taking place across a plethora of independent systems, each with its own internal control environment, technology, and support services.

Internal Audit knew this, of course, and could show me how they would, through a multi-year Internal Audit Programme, reach all the of the medium to high-risk units during every three-year cycle. And the audit reports demonstrated that while individual units reviewed did have some issues, on the whole, they were not finding significant control system breakdowns.

Yet the company was also going through difficult times, as had all financial services companies in the years after the Global Financial Crisis, and cost-cutting was an ongoing strategic imperative.

The CAE Speaks

Finally, I was able to interview the CAE, the Chief Audit Executive. We talked through what I had seen so far, my impression on the effectiveness of Internal Audit, and what my findings and report might look like. Where, he asked me, did I think there could be reductions in the Internal Audit department to gain headcount and cost savings?


I countered that what appeared to be missing from his team was a Strategic Audit function, and any Strategic Auditors.  Who was performing the strategy and strategic level reviews, for example, a review of trading platform strategy and the risks associated with having so many trading platforms? This was not in the plan, he told me, because he didn't have the resources to undertake such a review, and besides, he didn't expect that the results would be of interest to the Board.


I told him that I was very concerned that there were so many trading platforms, in an environment of cost-cutting and headcount reductions, that the overall level of risk would increase significantly. After all, if there were one or two (or ten) trading platforms, then his audit resources could focus on that more limited number of control environments. Further, cost reductions could only lead to a greater risk of controls being ignored or bypassed within the individual trading units. Wouldn't he expect to take a report to the Audit Committee suggesting a consolidation of systems?


His response was that such a recommendation would carry costs that would be beyond what the Audit Committee or the Board would want to hear at this time, and that after all, a greater number of trading platforms meant that their risk was diversified.


His Strategy was to avoid conflict, and he already knew that such a set of recommendations would only bring him into conflict with a Chief Executive and Board that were determined to drive down costs at any price. 


My conclusions (from the EQA)


It was now clear that the interview and discussion were over. I was to provide a report on their processes and procedures as aligned to and with the Institute of Infernal Auditors Professional Standards. Indeed that is what I provided.


Certainly, there were a few areas where they needed some attention, but so much seemed to be best (or good at least) practice.


Certainly, the customer satisfaction processes could have been improved. Likewise their budgeting per audit and communication of cost/value to the auditees and management. For a financial services enterprise, there was an unfortunate lack of effective automated and continuous testing, and it was recommended that the IT Audit unit look to introduce such processes.  


Going a little further, I also recommended that they should be linking their audit plan and programme to the risks included in the MD&A (Management Discussion and Analysis) section of their annual SEC 10K regulatory report.


But without the Strategic Audit capability, and the willingness of the CAE to bring difficult reports and recommendations to the Audit Committee and the Board, it was my belief that the function was inadequate. Of course, we were not allowed to say that, so we didn't. It never made it into the report.


Aftermath, and a slight problem


The EQA report was delivered and discussed. The findings were agreed, and promises were made to implement almost all of the recommendations. Some were disputed, as is to be expected. There was no discussion of the need for a Strategic Audit unit. That was not to go in the report.


So everyone was "satisfied", and the invoice was promptly dispatched.


If you look back to 2011, you'll see that one of the top-10 bankruptcies took place that month. Needless to say, our invoice was never paid.


Did the wide range of trading systems lead to their collapse? Not directly. Was it a symptom of a company in which effective internal control and a strategic outlook (especially from their Internal Auditors) was missing? I would suggest so. The inability or unwillingness to deliver hard truths and to speak strategic risk can damn an internal audit function and can have lasting damage to the company.


My Conclusions about Strategic Audit


I said at the beginning that Strategic Audit or Auditing Strategy requires knowledge and experience, and a strategic mind. It also takes courage. The courage to look at the strategic situation of the company and its market position, future plans and where it came from. 


Also to look strategically at the leadership and Director team, and communicate clearly (and frequently privately) what you are seeing, and why it makes you, the Internal Auditor, uncomfortable, and why that should make the Executive or Director uncomfortable.


Strategic Auditing takes courage. And what I've learned, though this particular series of events and others in small and medium-sized companies, that the courage is not common in Internal Auditors. Not as common as the profession, and their employers, need.


The fifth, and too frequently missing leg of the Internal Audit sheep is Courage. Most frequently, the courage to not be a sheep.