Kyriba recently held a webinar attended by more than 500 treasury professionals that focused on the critical importance of business continuity planning (BCP) for treasury.
One quarter of the audience admitted to not having such a plan in place, while nearly 30 percent said they had a plan in place, but had never tested it, according to webinar polling. Needless to say, audience members were eagerly looking for best practices to make their continuity planning more complete. We also learned from the audience that treasury typically manages their own planning and those plans haven’t changed much despite the movement to the cloud.
The cloud offers a very different way of thinking about BCP. The best feature of the cloud is that it takes the entire software solution (and data) off your premises. Data centers used by a cloud treasury provider such as Kyriba reside in different global locations than the company offices, so your treasury system still operates without interruption even if the company offices are disabled or inaccessible.
Further, cloud treasury providers maintain their own business continuity plans to ensure the treasury software-as-a-service is always running. They build in redundancy of operations, replicating the entire environment so that all the data, the user interfaces, the bank connections, and the security protocols are all available in the “backup location.” If done well, a treasury team should not be able to tell if they are in the primary environment or in the backup.
It is especially important that the security is identical in business continuity mode because if that were not the case, then fraudsters would simply focus their hacking efforts on putting platforms into a backup state where systems could be more easily exploited.
The other characteristic of cloud-based treasury systems is that those systems are globally accessible via the cloud. Because of this, the same workflows can be run anywhere in the world by authorized users. If set up correctly, the treasury system will feature standardized templates, processes, and visual workflow maps so that temporary and new employees can be on boarded quickly.
This ensures that treasury is run the same way no matter who is performing the tasks. This is especially important for business continuity because part of an effective BCP program is ensuring smooth operations even when treasury personnel in the main office are not available. Whether their location loses power or internet access – or the treasury team’s number came up in Powerball lottery – the reality is that the need for treasury exists whether that team is available or not. The right treasury technology deployment will have standardized workflows that can be managed by anyone that is authorized from anywhere the company operates. And it will be do so because of the cloud accessibility combined with the treasury system being a single repository for all data, documentation and visual workflows.
Not All Clouds are Built the Same
Treasury systems need to be mobile. This is more than just being available in the cloud, however. Treasury systems need to work whether the user is at home (possibly on a really old desktop with an old internet browser), via a tablet or smartphone, and with low speed web connections (e.g. having to use your iPhone as a hotspot for your laptop to get online). If a treasury system cannot support multiple scenarios, it isn’t going to be a reliable component in your treasury’s business continuity plans. And, unfortunately, there are still treasury systems that are not device independent. Make sure that your business requirements also include testing just how mobile your treasury system actually is.
Security is Really, Really Important
While we briefly discussed the importance of a vendor maintaining security protocols in both production and BCP mode, the treasury team must have the same consistency in their application security. Presuming treasury’s choice of technology aligned with the organization’s information security policies, there will be certain authentication protocols used to log into the treasury system. They may include multi-factor authentication using hard or soft tokens, IP Filtering, virtual keyboards, and/or single sign on (SSO).
Invoking business continuity plans cannot mean that these security policies are abandoned, even for a short period of time. Such exceptions to policy seriously expose treasury to risk of internal fraud or cybercrime. Login procedures to treasury systems must be part of business continuity planning because “it was a disaster” is not an excuse to resort to only using user ID and password to access your treasury system.
Maintaining effective treasury information security means that the right login controls are always in place – in normal mode and during a business continuity plan. Data must remain encrypted at all times. And treasury workflows – including setting limits, separation of duties and real-time transaction screening – must be exactly the same, no matter the scenario. Any deviation from these requirements means that your organization’s financial data and assets are at risk. Because, as we know, effective fraud attempts are well researched with many puzzle pieces put together over months or years. And if your treasury system has a weakness that can be triggered simply by making the company’s power go out or internet go offline, we would be kidding ourselves if we think that exposure wouldn’t be uncovered by the wrong people.
Business continuity is about maintaining business operations – but it is also about maintaining a consistent level of security and protection from fraud and cybercrime. The right treasury technology can make your treasury team and organization safer.