Weather and hurricanes have dominated much of the headlines over the past month and our hearts go out to those who were impacted in any way.
If there is a business lesson to be learned from natural disasters like Hurricane Irma, it’s the importance of proper and ongoing business continuity planning (BCP), a strategy for keeping an organization operating during an unplanned event, such as an earthquake, hurricane or something else. According to a 2017 survey by CFO Research, just 33 percent of senior financial executives felt their organizations were prepared to recover from a natural disaster.
Tragedies like Irma – and Hurricane Harvey before that -- remind treasurers and financial professionals to always test and refine the effectiveness of their plans. Here are four simple best practices to never forget when testing the integrity of a business continuity plan:
Don't chase scenarios -- Very few would have predicted a scenario where tens of millions are evacuating an entire the state to escape a hurricane's potential path. In general, many Floridians’ evacuation plans are to simply drive to the opposite coast. While historically this has been an effective strategy, this scenario was different and that is the point of business continuity planning. Don't plan for the scenario – plan for the loss condition. And the loss condition is that the treasury team is unable to access the office for several days, several weeks, or possibly ever again. It doesn't matter why they can't get to the office.
Additional reading: Business Continuity Planning Guide: Why Treasury Needs a Plan B
Working remotely may not always be possible – Many business continuity plans are built around the ability to work from home, the closest coffee shop, or at worst a nearby hotel. In this case, none of those options were likely as Floridians were stuck in traffic trying to leave the state. So that leaves working from a car. This is possible with a cloud treasury management system (TMS) and a smart phone, although even then, it may not be a sustainable strategy for more than emergency treasury activities.
Substitute treasury personnel – Effective business continuity plans will include the possibility that treasury functions need to be performed by other people for short and longer term periods. Again, the scenario (e.g. hurricane evacuation or the whole team winning Powerball) doesn’t matter. A contingency for other people from other locations continuing treasury operations must be built into planning. Again, this can be accommodated by a cloud TMS that is very well documented – ideally within the actual configuration of the system to simplify onboarding of new personnel.
Prioritize security – One of the biggest fears for chief information security officers (CISOs) is that information security practices in an emergency situation are inconsistent with the security controls implemented during normal operations. The reason for this fear is simple: if security was lesser in an emergency condition (e.g., the power or internet goes out to the head office) then opportunistic cybercriminals might be more inclined to try and exploit this scenario.
For treasury, business continuity security requirements must include:
- Application security – What information is required for personnel to access treasury and payment systems? Is multi-factor authentication a requirement when logging in from outside the office? How are logins without appropriate credentials, requests to reset passwords, or even login attempts from suspicious locations (e.g. North Korea) managed?
- Payment controls – Payments are the biggest target for obvious reasons. Policies for initiation, approval and documentation of payments must be followed in emergency situations – for all types, amounts and geographies. Any inconsistency is ripe for exploitation by cybercriminals who test these defenses through spear phishing and other information-gathering techniques. It is also recommended to again use security options like two-factor authentication (2FA) for payment approvals.
- Payment screening – In addition to standard payment controls, treasury teams should consider internal and external payment screening. External screening requires real-time screening of payments against sanction lists such as OFAC. Internal screening consists of real-time matching of payment details against company-defined rules, looking for irregular or suspicious payment activity. Examples could be a payment to a newly changed bank account, multiple payments that cumulatively exceed a payment limit, or supplier payments modified after import from the ERP. Screening against these possibilities and a forced workflow to resolve various threat levels is critical to preventing payment fraud in emergency situations.
Effective business continuity planning is a critical process, especially as the threat of fraud and cybercrime continues to increase. Business continuity is not just for those affected by natural disasters – human or system initiated attacks must also be considered to ensure your treasury processes, people, and information are not threatened. Treasury is too critical a process to be unavailable to the organization for any period of time.