Why the Grexit is inevitable - and some singing PIGS

In the past few days, we had the pleasure of a (very) extended lunch with a good friend from high school days in Thessaloniki, Greece. Of course we talked about mutual friends from those years - how So-n-so hadn't changed, how (yes, you know who you are) actually did become a (prominent) doctor much to all of our and our teachers', surprise. And what about, you know who, I heard he died. No, not true, he's alive an well and playing the electric guitar.

Of course there have been some deaths, and more than a few divorces, but many children who are now beginning to have children of their own. Some sing, including the snarlingly lovely Talking Pigs: We Won't Pay (As in Portugal, Italy, Greece and Spain).

One thing in common for almost all of my Pinewood International Schools (TiHi to some) class of '78 is that we left. Many still live in Greece and in Thessaloniki or have returned, and they are closest to the pain. The real pain of the past decade, that has destroyed wealth and hope. Unemployment is running at levels not see in Europe since after the war, and at levels that encouraged the socialist - fascist civil wars of the 1930s. Those did not end well.

But that does not explain why the Grexit is inevitable, and why it will happen very soon.

1. This is what the Greek people voted for. No, they did not vote to stay in the Euro, they voted for the party that said it would reduce the debt and meet pension obligations. The Greek people and voters are not stupid. They knew this could only happen by either the rest of Europe bailing out Greece again, or by leaving the Euro. 
2. The Greek people know perfectly well that Europe is not going to bail them out, because to do so will only set everyone up for the next bailout.
3. The Greek people, and the rest of Europe, know full well that the debt will never be repaid, and that the Troika are now acting as nothing better than the enforcers of loan sharks.
4. Syriza knows that it had six months before the voters would throw them out, and once out, Syriza would never come back. 
5. The Greeks needed to show "good faith" in actually attempting to negotiate a resolution with the Troika. This has now been done, and is failing.
6. The demand for reparations from Germany is designed not to actually extract the reparations, but to anger the Germans to the point that they will block any compromise that Syriza would have been required to accept.

The Greek government, elected by a battered and exploited Greek people, has been establishing the conditions that will give them the moral high ground (in the eyes of their voters) needed to actually leave the Euro.

Having set the conditions, when will it happen?

"Predicting the future is easy, getting the dates right is almost impossible." I would attribute that quote, but so many people have said that any attribution would be inadequate. But it certainly is true, and while I love to predict, getting the dates wrong is a specialty.

That being said, I'm still guessing May 9th.

Why?

Greece will leave the Euro, and they will do it sooner than later. They've made the April payment, but simply do not have the money for the May or June payments, and they cannot pass the legislation required by Europe and the Germans and stay in power. That gives us a late May or June date. So why earlier?

Capital flight.

Imposing currency controls will be a fundamental element of any Grexit. Accounts will be frozen, and any money in accounts will be re-denominated in New Drachmas. Once the bank accounts are unfrozen, the residual, former Euros will now be worth whatever the New Drachma has dropped to, and the drop will be significant, over--correcting to the downside.

Once it is accepted that the Grexit is coming and there will be no last minute deal, and with memories of Cyprus too fresh in every Greek's mind, the money will flow out of the country. Not just corporate money (most of which is probably off-share already) but any remaining personal money in bank accounts.

So Greece has to move before the coming Grexit is perceived as inevitable, and the money starts to flow out.

Weekend event.

When the Grexit happens, it will be on a weekend. The banks will be closed, parliament will be called into emergency session, and a packet of laws will be passed. As this needs to be on a Saturday to avoid wholesale capital flight the moment that parliament is called into session, were it a weekday.

This leaves only a few possible dates. And where there are few possible dates, I'm punting on the earlier date, so earlier in May. And looking at the calendar, that leaves us with May 2nd, 9th or 16th. My own guess is that the 2nd is too soon, and the 16th is too late.

That leaves me guessing May 9th.

Lets talk Risk Registers - dead boring?

There seem to be two trains of thought on Risk Registers; they are terrible and should be banned, or they are a critical part of a risk management programme and environment. I can see both perspectives, though I come down on the side favorable to Risk Registers. I also have some sympathy for those that say "Risk Registers are dead boring".

A good friend is very happy to tell me that Risk Registers are the bane of the risk management profession, and that they do significantly more damage than any benefit the provide. Risk Registers, with their attempt (or not) to create a defined universe of risks only serve to distract management and the Board from the wider range of risks, and thus provide a completely false sense of security. Use a Risk Register, he says, and you will absolutely be blind-sided by the actualisation of a risk that will kill the business.

Risk Registers also do not facilitate the quantification of all risks, or even necessarily the quantification of the value at risk for any particular risk. And without a quantification of the risk, it is impossible to have confidence in the application of resources to manage the risk.

He is right, of course, while also being completely wrong.

Any methodology or framework applied without adequate thought will court disaster. Anyone who actually thinks that their Risk Register actually contains either all the risks, or even all the important risks, is deluding themselves. Equally, anyone who thinks that they can quantify all risks either has a bloated risk function, is a major engineering conglomerate, or is delusional. Quantification can only go so far, and over-reliance on models can be just as dangerous as no assessment of potential consequences.

However, Risk Registers are an important part of risk management's ongoing processes of assisting management in the identification and management of risk. Note "a part of" and "assisting". These are critical. A Risk Register is so much more than simply an enumeration of risks, even if each has an associated description and a likelihood / impact scoring.

But a Risk Register can contain and drive so much more.

So what then is the purpose of a Risk Register. I would suggest Risk Registers can provide the following:

1. A common framework for the understanding of risk and the language for describing and managing risk within the organisation.

2. An agreed view of risks (but not all risks, as this simply is impossible, and counterproductive to attempt).
3. A linkage between organisational objectives and the risks to achievement of those objectives (as per COSO '92).
4. A central repository of the key controls associated with the risks, at a high level. In this way a control could be considered the inverse representation of a risk, or a subset of category of a risk.
5. The ability to identify control gaps, and to identify controls that need to be put in place.
6. A single source for reporting to determine the current, past and future level of risk (subjective) against the organisation's Risk Appetite.

A Risk Register does not prove that risks are being managed, nor does it record all risks. It also does not, by itself, ensure that control are effective.

Finally, reiterating the "does not record all risks"  point - there are risks that should not be put on a Risk Register. I have this discussion frequently, sometimes with a look of incredulity and a statement that "of course all risks should be on the register". There are some risks that do not belong on the register. These range from exit strategy risk to some specific regulatory risk to name two types. We can have a discussion about other risks, and I'd be happy to hear views on what risks belong on, and which should not be on the risk register.

Why should some risks not be recorded? Ah, that is NOT what I am saying. I am saying that some risks should not be on the Risk Register. These risks should of course be recorded and considered, but a Risk Register frequently is a document, system, spreadsheet, SharePoint directory(ies) or other repository of risks that will be visible by a number of individuals in the business. The Risk Register is also a living entity, with risks changing, being added, upgraded and downgraded.

I think the best summary comes from another friend, who said after attempting to build his Risk Register, "This is dead boring, but the process has actually made me think about the risks in my business, and is showing me that we have a lot more to do before I'll be comfortable that we are managing our risks".

Gays are scarier than ISIS - really?

Last week Indiana signed into law the ability for businesses to discriminate against gays and lesbians (and really, against anyone they don't like). This week, Islamic fanatics asked students if they were Muslim or Christian, and then murdered 148 or more of the Christians.

Not meaning to cause (too much) offense to Christians or Muslims or those that consider themselves neither, but enough if enough.

It is time to stop discriminating against people for their biology, and start actively discriminating against people for their choices. Being Christian or Muslim (or any other faith) is a choice. Killing people in the name of your religion is a choice. Being gay or lesbian is not, it is in the genes, and therefore is built into the person before they are even born.

So lets start discriminating based on choices.

Christians who want to hate gays and lesbians - grow up, please, or we (straights and gays) will take our business somewhere else.

Muslim who do NOT want to kill people based on their not being their kind of Muslim - speak up, please. Every day you say nothing is another day that I grow more concerned about you being in my community. Every day you say nothing, you reinforce the (false?) perception that Islam is not a religion of peace.

For years I have fought the urge in the back of my mind to look with concern at the Muslim person getting on the same airplane as me. I have pitied the 4 obviously Arab men that were boarding the same Chicago to New York flight as me five weeks after 9/11. They looked as scared of the rest of the passengers as we looked of them. Well, no, they looked scared of the rest of the passengers who all, me included, were looking at them and asking ourselves how we would defend ourselves against them when they tried to take over the plane. That is fear, on both parts.

And today, when I look at numbers that say that in the UK, where 27% of Muslims "have some sympathy for the motives behind the Charlie Hebdo attacks in Paris", I am scared of the Muslims around me. More important, I am no longer able to convince myself that I am being unreasonable. The rationale part of my mind simply sounds out of touch with reality.

Please don't tell me about how they are a minority. Of course 27% is a minority. But where are the 73% who should be loudly saying this is unacceptable. Wouldn't it be a scary world if 27% of Christians "have sympathy" with the motives of those that attack gays and lesbians, and "have sympathy" for killing Muslims because they do not allow Christians to open churches in Saudi Arabia (for example).

I have never heard a Christian say that it is alright to kill Muslims because Christians are not allowed to visit Mecca. Yet 27% of Muslims in the UK are sympathetic to murders of cartoonists.

Maybe, just maybe, we are moving slowly closer to a world in which, if "we" cannot come to Mecca, then you cannot come to the UK, US, Brazil, France, or any other non-Muslim country. I really do not want to live in that kind of world. Multiple faiths and cultures make for more vibrant communities and countries, with wider ranges of ideas, art, culture, and yes, better food.

When I see a dull Pride Parade, and lets face it, when one of the vehicles in the Pride Parade is a Neonatal Transfer Unit ambulance with a rainbow flag, then that is a dull Pride Parade. And that speaks to a community that embraces the full range of differences in the community. Except the Islamic element of the community. And here, there is a very large, or at least very visible, Muslim community. We, and the Muslim part of the community, and really have pride when all are represented, including the Imams. Mind you, it will be very very dull, but isn't that what we actually want. To see all those around us visibly supporting all around us.

When Indiana, in the name of Christianity, supports legalizing discrimination based on how a person is born, and not on their choices, then that is sad, but not scary. We (straight and gay) can just take our business somewhere else, and take the piss out of them. After all, Indiana, and all the states that have similar legislation, does not actually need a law to be full of bigots.

But now, when I walk past 4 Muslim men, I wonder which one of them "has some sympathy" for those that would kill me, simply because I am not one of them.

Why CSR is an important part of your risk universe

Well isn't that a pretty CSR / Sustainability report? All the right tables, indexes, pictures of windmills and daisies, but yes, some fairly data rich tables and reports. There is also the great summary that shows that the company met 80% of its CSR targets for the year, and can even show how those targets have evolved over a number of years. 

That report, of course, is your competitors. And the boss is not terribly happy about that.

Call in the troops, raise the alarm, set some goals, and produce that CSR report that makes us look like we care, dammit.

Yes sir, no sir, three pages full of pretty pictures sir!

And so the company starts down (or continues down the already well worn) path to CSR or Sustainability or ESG (Environmental, Social, Governance) reporting. Goals are set and agreed, business cases are produced, and external consultants are engaged to help with the process. A standard is selected, and soon, but realistically most of a year later, the company has its first CSR report ready to go. All that is needed is a nice front-piece from the CEO, written by marketing or the CSR team, and it is time for the press release and marketing event.

Did you, as the Risk Manager or Internal Auditor, know what was happening, and have you included the CSR reporting process on your risk register or audit programme? If not, why not?

I know of one Risk Manager who was invited into the CSR programme from the beginning, and he is convinced that the result has greater validity and value because of Risk Management's participation.

CSR (Corporate Social Responsibility) reporting is important, but it also exposes the business to a new set of risks; operational, reputational and regulatory. CSR (or similar) reporting processes and content represent an uncharted area for too many risk managers and internal auditors. The information has rarely been determined to be “material”, so even when the CSR programme or report has been in the risk universe, it infrequently rose to a perceived level of significance to draw attention and review.

Yet I would argue that the reputational risk alone should be enough to encourage attention. Add the regulatory risk and there is a clear rationale for Risk Management and Internal Audit (IA). IA in particular has a mandate to review and report on the effectiveness of the system of internal controls, and that the programme of reviews should be based on a risk weighting of processes, systems and operational areas of the business. For too long we have assumed that this means controls over financial reporting and IT systems.

Consider the easiest regulatory and reputational risk. Does the CSR report contain the same information as the regulatory reports? In an SEC context, are the risks reported in the 10K the same as in the CSR report. As a specific example, does the CSR report in any way discuss climate change or the risks associated with exploitation of scarce resources such as water? If these are discussed in the CSR report, then they must also be in the risks section of the 10K, or face the danger of an investor or regulator asking why there are different risk factors being reported as being important to the current or future of the company.

This is as true for statutory reports in other jurisdictions. 

This is also true regardless of the reporting standard that you use, be it the GRI, IIRC's Integrated Report, UN Global Compact, SASB, or any other standard.

There are also metrics. Imagine reporting the level of carbon emissions or carbon offsets in a CSR type report, only to not report this information in statutory reports, regardless of what IFRS or US GAAP (or any other GAAP) requires.

While there are valid and important reasons to produce CSR/Sustainability reports, the information contained should be subject to independent review, and Internal Audit would be well placed to confirm the effective functioning of controls over the production of the information.

Likewise, Risk Management can provide valuable support in the establishment and operation of a CSR programme, and can ensure effective consideration of the risks being reported, both in range and in depth. This can include ensuring that common data sources are used for CSR and statutory reports, reducing the risk of different and potentially contradictory information being reported.

Key points:

·         The world of CSR/Sustainability reporting is undergoing massive change

·         Most CSR data is financial data, just packaged differently

·         Many CSR reporting standards are little more than marketing standards

·         Most CSR reports cover only a subset of the actual business. Disclosures in CSR/Sustainability reports do not always mirror disclosures in statutory reports

·         One activist with a smartphone can seriously ruin your day

·         CSR/Sustainability reporting practices can be a bellwether of other reporting practices, good and bad

For these reason Risk Managers and Internal Auditors should take a close look at what the company is saying to the world, and IA should confirm the effectiveness of the control environment that is producing the information that is reported, including the process (and costs) and the benefits.

Governance; Ethics and Morals versus Regulation

In London at the CRSA Forum last week (25th March 2015), once again speakers talked about the importance of the ethical foundation of leaders and companies, and as usual rubbished the need for or importance of "rules based systems" of governance or regulation . Implicit in the comments was the importance of ethics as the foundation of any successful business. Explicit were the statements "ethics are better than regulation" and "rule based systems are less effective than moral or ethics based systems".

Unfortunately, that is bollocks. There is simply too much weight placed on the idea that ethics and morals actually deliver more effective governance than rules. On the one hand, absolutely, effective corporate (and personal) governance for long term benefit needs a moral and ethical foundation. On the other, remove the rules and only the ethical or moral will comply.

Rules do not exist to stop ethical behaviour, nor to make companies profitable or unprofitable, or to ensure that a manager "earns" a bonus. Rules and regulations are enacted by governments to promote what the government of the day has determined to be desirable behaviours, and to discourage or punish those that are undesirable.

While the good news is that only 4% of CEOs may be psychopaths (Forbes "Why some psychopaths make great CEOs") that is four times the average in society as a whole. And while only a small percentage of CEOs may be psychopaths, their CFOs and FDs are under pressures of their own to ensure the numbers are right. The penalties for missing the quarterly numbers can be decidedly unpleasant (CFO.com).

"Comply or Explain", the UK reporting mantra, is held up as the alternative to rules based systems of reporting and governance. IFRS is a wonderful example of principles based reporting, yet the IFRS (International Financial Reporting Standard) still runs to over 2700 pages, excluding various national GAAP extensions to IFRS. Still, this is better than the 17,000 pages of US GAAP (Moss Adams LLP, 2009). Yet anyone who has attempted to use IFRS will find that it is as mired in rules as any GAAP. This also overlooks that so much of US GAAP is based on permutations of tax law specific to the US or to individual states. Oh, and US GAAP has been around a little longer than IFRS.

A victory for principles based reporting? Or, as a friends says "If self-reporting was the only requirement, there would be no murder".

Rules exist for a reason. They provide the boundaries beyond which behaviours are unacceptable in law and regulation, if not in culture and society. Yet to point out that principles based systems are inadequate is all it takes to be branded in favour of a rules based system, as if that is something bad.

There are good rules, and there are bad rules. Don't eat your soup with a fork is a good rule. Allowing companies to discriminate against any minority based on the presumed religion of the company is NOT a good law (and is not religious freedom).

Allowing the CEO and Chairman to be the same person in a public company is not a good principle, but it would be a good rule. Because as a principle, it can be applied or not, it is only a principle. Make it a rule, and there is no weasling around it, it is worse than bad practice (and a fine indicator that the company is being run for the enrichment of the managers and now the owners) and it would not be permitted.

Independent directors are a sound principle, and I see no need for a rule on this. An independent Audit Committee chair is a very sound principle. So sound that maybe it should be a rule.

Board effectiveness reviews? Great principle, but no, I wouldn't make them mandatory.

After all, the purpose of rules is not to over-ride good principles, sound ethics and strong morals. The purpose of rules is to limit the flexibility of those that pay lip services to good principles, or those that are not ethical or moral. Fraudsters, or just those under pressure to produces the target numbers by any means, can more easily justify bending principles, but they cannot justify bending the rules.

Indeed, I continue to say "Principles and ethical standards only apply to principled and ethical people".