Treasury Best Practices for Business Continuity

By Bob Stark
Global Head of Market Strategy, Kyriba

Much of the world is still dealing with the business and financial complications of COVID-19. This outbreak, and the uncertainty that has followed, serves as a reminder of the importance of having a business continuity plan with treasury best practices.

Business Continuity Plan

The cloud offers a very different way of thinking about business continuity planning (BCP). The best feature of the cloud is that it takes the entire software solution (and data) off your premises. Data centers used by a cloud treasury provider such as Kyriba reside in different global locations than the company offices, so your treasury management system still operates without interruption even if the company offices are disabled or inaccessible.

Further, cloud treasury providers maintain their own business continuity plans to ensure the treasury software-as-a-service is always running. They build in redundancy of operations, replicating the entire environment so that all the data, the user interfaces, the bank connections, and the security protocols are all available in the “backup location.” If done well, a treasury team should not be able to tell if they are in the primary environment or in the backup.

It is especially important that the security is identical in business continuity mode because if that were not the case, then fraudsters would simply focus their hacking efforts on putting platforms into a backup state where systems could be more easily exploited.

The other characteristic of cloud-based treasury systems is that those systems are globally accessible via the cloud. Because of this, the same workflows can be run anywhere in the world by authorized users. If set up correctly, the treasury system will feature standardized templates, processes, and visual workflow maps so that temporary and new employees can be onboarded quickly.

This ensures that treasury is run the same way no matter who is performing the tasks. This is especially important for business continuity because part of an effective BCP program is ensuring smooth operations even when treasury personnel in the main office are not available. Whether their location loses power or internet access – or the treasury team’s number came up in Powerball lottery – the reality is that the need for treasury exists whether that team is available or not. The right treasury technology deployment will have standardized workflows that can be managed by anyone that is authorized from anywhere the company operates.

Treasury Software Must Be Versatile

Treasury management systems need to be mobile. This is more than just being available in the cloud, however. Treasury systems need to work whether the user is at home (possibly on a really old desktop with an old internet browser), via a tablet or smartphone, and with low-speed web connections (e.g. having to use your iPhone as a hotspot for your laptop to get online). If a treasury system cannot support multiple scenarios, it isn’t going to be a reliable component in your treasury’s business continuity plans. And, unfortunately, there are still treasury systems that are not device-independent. Make sure that your business requirements also include testing just how mobile your treasury system actually is.

Data Security Is Really Important

While we briefly discussed the importance of a vendor maintaining security protocols in both production and BCP mode, the treasury team must have the same consistency in their application security. Presuming treasury’s choice of technology aligned with the organization’s information security policies, there will be certain authentication protocols used to log into the treasury system. They may include multi-factor authentication using hard or soft tokens, IP Filtering, virtual keyboards, and/or single sign-on (SSO).

Invoking business continuity plans cannot mean that these security policies are abandoned, even for a short period of time. Such exceptions to policy seriously expose treasury to risk of internal fraud or cybercrime. Login procedures to treasury systems must be part of business continuity planning because “it was a disaster” is not an excuse to resort to only using a user ID and password to access your treasury system.

Maintaining effective financial and treasury information security means that the right login controls are always in place – in normal mode and during a business continuity plan. Data must remain encrypted at all times. And treasury workflows – including setting limits, separation of duties and real-time transaction screening – must be exactly the same, no matter the scenario. Any deviation from these requirements means that your organization’s financial data and assets are at risk. Because, as we know, effective fraud attempts are well researched with many puzzle pieces put together over months or years. And if your treasury system has a weakness that can be triggered simply by making the company’s power go out or internet go offline, we would be kidding ourselves if we think that exposure wouldn’t be uncovered by the wrong people.

Business continuity is about maintaining business operations – but it is also about maintaining a consistent level of security and protection from fraud and cybercrime. The right treasury technology coupled with treasury best practices can make your treasury team and organization safer.