Main Menu


AFP TiP Guide to Business Continuity Planning: Why Treasury Needs a Plan B

Disaster can strike at any time. In today’s ever-changing world, extreme weather, power outages, cyber events and other incidents can severely disrupt operations. That’s why it is essential for corporates to have a business continuity plan in place. And since the treasury function is at the forefront of a company’s money, there may be no better department to be a leader in this area.

Unfortunately, business continuity planning simply isn’t a high priority for many treasury departments, and that can no longer be the case. Oftentimes, there are payments that need to be made, and they can’t wait for the office to reopen. Treasury needs to have a plan in place for it to do its job even when the office is inaccessible.

In this new Treasury in Practice Guide, we will hear from corporate treasurers and other experts on how treasury departments can implement a successful business continuity plan, so that the next time disaster strikes, you’ll be ready.

Why Treasury?

As treasury’s role has grown over the past decade to become more strategic, we hear time and time again that the treasury function has more of a voice across the organization, working frequently with other departments. And when it comes to business continuity planning (BCP), treasury has yet another opportunity to truly be a leader.

“The treasury department is critical to the business,” noted Claudia Swendseid, senior vice president of the Federal Reserve Bank of Minneapolis. “They collect cash. They deal with bills. They deal with investing cash. They deal with financial institutions. These are all, by definition, critical components of a company’s ability to run day-in and day-out.”

But given the multitude of responsibilities treasury commands, BCP simply isn’t a top priority right now for many treasury departments. As David Neshat, treasurer for Akamai, noted, “If a treasury department has 10 priorities, BCP is unfortunately number 10.” That needs to change.

Determine Your Critical Assets

Critical Assets

The first thing a treasury department needs to do when creating a business continuity plan is figure out all of its critical assets, noted Swendseid. One of the best ways to determine this is by calling a meeting with the CEO and CFO to hash out the business’ priorities and the risks that can impact them. That way, when an event occurs—be it a natural disaster, a power outage, or a change in the marketplace, a change in a certain customer environment—the company will fall back on the “vision” it has set for itself, explained Dr. Mark Zecca, senior vice president, cloud services and engineering for Kyriba. “Business continuity is actually putting your vision down on paper,” he said.


Six Quick Tips for Creating a Business Continuity Plan

  1. Determine your critical assets. List all of your organization’s critical assets and the risks to them.
  2. Use a template or standard. Use a generic BCP template or a national standard for guidance when drafting your plan.
  3. Don’t forget the basics. Make sure you have contact information for everyone on your staff, your banks, and your vendors.
  4. Beware the weakest link. Make sure you can count on every link in the chain, but be ready in case one of them isn’t up to par.
  5. Test it out. Test your plan, and test it regularly, so there aren’t any surprises when it’s time to use it.
  6. Don’t sacrifice security. Either equip your employees with company-issued devices to perform critical functions remotely, or implement a secure BYOD policy.

While assets will vary from company to company, there are a few constants that will always be among the top priorities in a business continuity plan. First of all, systems need to be protected, Swendseid stressed. “If my accounts payable is down for two hours, that might not matter. But if my international treasury workstation is down for two hours, that could mean I lose my business x amount of money. So how quickly do I need to be able to recover these kinds of systems? Once I understand what I need to protect and the cost implications for these things to function, I can now determine the cost benefit in terms of my plans,” she said.

Once the conversation with upper management happens, then treasury can begin to work out the plan. “At that point, you can sit down and say, ‘This is priority number one, this is priority number two, etc. I think you’ll find that many treasurers already know this; they’ve just never written it down, they’ve never really tried it out, and they’ve never thought about what the various alternatives to those priorities might be,” Zecca said.

It is important to note that meeting with the CEO and/or CFO is not a one-time thing. A company’s priorities can change, and treasurers need to stay on top of those changes. Therefore, treasury should be meeting regularly with high-level executives. “The last thing you want to do is be in a situation where you find out that you’re out-of-sync with your CFO or CEO,” Zecca said. “It really comes down to good communication; everyone has to agree on top priorities. And in many cases, the treasurer not only has to look for it; they have to drive it.”

Beyond the C-suite, treasury should also make sure that other department heads and even regular third-party vendors know their roles should something happen. “Plan for conditions, not scenarios. You need to know that these groups will be there to provide their features and functionalities under general conditions. This is important, because you can plan for all sorts of scenarios, but if an entire group goes away quickly, there go your plans. Stick to simplicity, prepare for conditions, not scenarios. You’ve got to watch that you don’t build your house on sand,” Zecca said.

Use a Template or Standard

Template or Standard

Once you iron out the business’ priorities, it’s time to actually write the plan. Writing out a plan is not easy, which is why many organizations utilize BCP templates to get started. Jeff Johnson, CTP, chief financial officer for Amesbury Truth and vice chairman of AFP’s Board of Directors, believes that treasury departments should begin with a generic BCP template and adapt it for their needs. “The challenge a lot of organizations have is that often they want to put something together, but they have no template,” he said.

Sample templates can be found rather easily online. Although corporates may not always be the target audience for a particular template, many of these samples can be adapted for their use. For example, this template from FEMA is intended primarily for non-federal governments, but many of its tenets can also be applied to the private sector. This plan, by FINRA, is directed at small businesses, but again, many of its principles can be applied to large corporates.

Although the structure for a business continuity plan can vary, a good plan will provide an overview of the organization, identifying key assets and the risks to them. It will specify the steps that can be taken in the event of an emergency, what their objectives are, and who is tasked with putting them into motion. It should also include a full distribution list of the plan recipients, as well as tables where any updates to the plan can be recorded.

Johnson, whose organization has been building a cohesive business continuity plan over the past six months, stressed the importance of including a business impact analysis (BIA) — a special section that attempts to identify, understand and quantify all risks to continuity. For treasury, the BIA will focus on risks to sending wires, payroll, and cash concentration. “So you look into each one of those items and the equipment you need to get yourself up and running, what you might need for software, your supplier list, your business recovery functions, your recovery time objectives, operational risks and any data you need,” he said. “For treasury business continuity, you’re probably going to have half a dozen of those areas, depending on how big you are.”

For an even more in-depth look at structuring a business continuity plan, it is also worth reviewing disaster recovery/business continuity standards like the NFPA 1600, the U.S. standard for emergency preparedness. The NFPA 1600 applies to public or private sector entities and provides detailed guidelines that an organization can follow when developing its plan.

NFPA 1600 has been organized in the Plan-Do-Check-Act format:

  • Plan: The process to determine goals and objectives and the desired outcome(s).
  • Do: Executing the actions needed to achieve the desired outcome(s).
  • Check: Evaluating whether the desired outcome has been achieved by those actions.
  • Act: Addressing any gaps between the desired outcome and the actual outcome.

After explaining its purpose and providing a series of definitions, the standard delves into criteria for program management and the planning process (Plan), followed by a section on actual implementation (Do). Next, it provides guidance on training and education, as well as exercises and tests (Check) and concludes with a section on program maintenance and improvement (Act).

Don’t Forget the Basics

Dont Forget the Basics

In January 2016, Winter Storm Jonas hit the East Coast and buried major cities like Washington, D.C., Philadelphia and New York. Many businesses were forced to shut down their offices and employees had to work remotely, AFP included. But an important factor to keep in mind is that you can only work remotely if your servers are intact.

Akamai’s Neshat explained that in early 2015, his company had to exercise its business disaster recovery plan. Cambridge, Mass., where Akamai is located, was forced to close its offices for non-network operations command center employees due to snowstorms. “In order for our employees to be able to work from home, our company failed over to our disaster recovery center elsewhere in the country,” he said. “Had that not
happened, working remotely would not have been an option. Employees wouldn’t have had the ability to logon to emails/ERP systems/HR systems/etc.”

Quote Icon

If you can’t reach them through work email, how do you reach them?” Neshat said. “BCP goes back to simple things like that. People should have a folder at home with that contact information.”

But if work email is down, that’s when treasury needs a “plan B” to communicate. Members of the treasury staff should have each other’s mobile numbers and even personal emails so that they can get in touch with them as needed. It’s also a good idea to have personal contact information for key members of the IT staff, as well as departments that treasury works frequently with, like accounting. “If you can’t reach them through work email, how do you reach them?” Neshat said. “BCP goes back to simple things like that. People should have a folder at home with that contact information.”

Zecca recommended going a step further and setting up a contact center that is offsite or off-system. “Ask yourself and then answer: ‘Where is the one place that everyone can go to get contact information?’ Printing lists of people’s names and having that in the hands of lots of people may not be the best answer,’ he said.

Swendseid added that having a plan in place only works if there are specific individuals appointed to put it to work when it’s needed. “Who are the decision-makers? This needs to be clear. For example, who sends out the memo that says, ‘Non-critical staff can be released early’? Who is that person in a particular company, and how does that translate to the treasurer or the CFO? Who gets to make that call? If the disaster is predictable, who informs employees that they don’t need to come into the office? That communication needs to be laid out,” she said.

Sarah Schaus, assistant treasurer and assistant vice president for Allianz Life Insurance Company of North America and chairwoman of AFP’s Treasury Advisory Group, explained that her company has actually appointed a business continuity management (BCM) team to be the “first line” in any type of black swan event. Should the event last longer than 24 hours, then a second line gets called in. “Everyone knows their accountability before we get into a situation,” Schaus said. “We even make little laminated business cards for people so everyone has the phone numbers of the team that is part of that first line.”

This communication should also extend to external partners that treasury works with regularly, Neshat added. Treasury staff should have contact information for bankers, treasury vendors, etc. in case they need to be reached and their systems are down. “Do you have your bank account information, contact information for your banking people, and your treasury vendors in a folder? It’s really just going back to basics. Technology has advanced to the point where we’ve forgotten about the basics,” he said.

Furthermore, what happens when you need to pay your employees or a vendor and the systems at one of your core banks have shut down entirely? “Let’s say your cash management bank is under a [distributed denial of service (DDoS)] attack and is shut down,” Neshat said. What do you do at that point? Treasury should have these conversations with their banks to understand and take note of the bank’s BCP. Often times it can be as simple as faxing in payment instructions signed by authorized signers to a certain area.

While most treasury departments are equipped to work from home, there’s always the possibility that your internet at home could go down—not something that’s too outside of the realm of possibility when your area is facing extreme weather or (obviously) power outages.

Again, this is why you need a folder with direct contact information for your banks. “You have to make sure that you do have the ability to do phone-in wires; to be able to call into the financial institutions to get your balances over the phone as opposed to going online,” said Anita Patterson, CTP, director, treasury services and Patriot Act compliance officer for Cox Enterprises Inc.

Cox has contact information for multiple financial institutions, should its employees not be able to get online, or conversely, if networks at the banks are down. Transacting this way is fairly safe, as Cox has passcodes that have to be used over the phone or via fax in order to access the company’s accounts. “And we work close enough with the financial institutions that there is a recognition factor there too,” Patterson said. “So if you called in on my behalf to try to do a wire, they’re not going to take it from you. You’re not approved, you can’t identify yourself or provide the necessary checks and balances that would allow you to do that on our behalf.”

Speaking of security, it is also important to make sure that any work performed from home online is not putting the company at risk. Schaus makes sure that any time her staff works remotely, they are doing so securely. “We strongly encourage, when anyone does work from home, that their wireless connection is encrypted,” she said. “I know when I login at home I can see my seven neighbors’ Wi-Fi out there that I could connect to. So we ask that everyone’s Wi-Fi is password protected so that no one can tap into it.”

Beware the Weakest Link

Beware the Weakest Link

A business continuity plan only works if all of the pieces are in place. Sometimes it is best to utilize a third-party provider for certain functions because that frees up treasury to do other things. But if that provider is unable to do their job, that can create a huge problem and treasury has to be ready to pick up the slack.

Quote Icon

So regardless of tornadoes and storms shutting down the office, what happens if there’s just a mistake somewhere — a keying mistake, a file mistake — and your employees are not going to be paid on that day? What’s your backup plan?”

For example, many companies outsource payroll. But what if your payroll provider makes a mistake and the company doesn’t realize it until payday? The provider should be able to redo its entire payroll process, but that can take a couple days. Thus, employees won’t get their paychecks on time unless treasury manually issues them.

Johnson stressed that if treasury is going to outsource a certain function like payroll, it needs to consider what to do if that third-party vendor fails. If the third party makes a huge mistake, treasury can end up paying the price for it. “So regardless of tornadoes and storms shutting down the office, what happens if there’s just a mistake somewhere — a keying mistake, a file mistake — and your employees are not going to be paid on that day? What’s your backup plan?” he asked.

On the other side of the coin, relying too much on your own people can create its own risks. It can be a good idea to bring in an outside set of eyes once your business continuity plan is in place. “Bringing in a third-party vendor to do an audit of your procedures and practices can offer a lot of insight into where you may have some gaps,” Swendseid said. “Any company would get some benefit in having an outside eye look at what they have in place.”

Test it Out

Test it Out

Once you’ve drafted your plan, it is crucial that you test it. If you don’t, how do you really know if it works? Even treasury departments who do have well thought-out plans in place often find some aspects need to be tweaked once confronted with a real black swan event. So testing, and testing regularly, is a very important step in implementing BCP.

Johnson noted that at his former company, Deluxe Corp., he would routinely have his treasury team work from home in order to ensure things would run smoothly should they not be able to make it into the office. “We’d work remotely to show that we didn’t need to be in the office,” he said.

Schaus noted that Allianz performs regular BCP exercises across the organization, including groups like treasury, investment and operations. “We do tabletop exercises, where we’ll sit in a closed room for three hours and go through a scenario,” she said. “We’ll say, ‘There’s a fire on the fourth floor, it’s noon and no one can get back to their desks or get home.’ Then, the next level is, ‘Now it’s 5:00 at night, these people are stressed and they need to get their kids from daycare. They’re starting to panic.’ So we do all that scenario role playing.”

Allianz even has a business continuity management site where its employees can go and run through more tabletop exercises. “At least once a year, we’ll physically go there and test our systems. We have a test plan, we look at what didn’t work and we make sure we get it fixed,” Schaus said.

Swendseid agreed that tabletop exercises are critical to a business continuity plan’s success. “Tabletop exercises can be very effective for, say, unanticipated disasters,” she said. “What if there’s a bomb? What if there’s a chemical release? What if there’s a fire? You can practice that in a tabletop exercise. You can have an exercise that says, ‘There’s a bomb threat at 3:00 p.m. What should we do? How do we inform people? If there’s a bomb threat, that means we have to evacuate. Do we send people to a remote location?’ Those are all the sorts of things that a treasury function needs to plan for. Disaster recovery is really about scenarios and having plans in place to respond to them.”

It’s the same thing if the business is hit with a cyberattack. Treasury and other departments may not physically need to relocate, but they will likely need to shut down certain systems. Again, exercises can help to prepare for that. “What if some sort of virus has affected my network with my financial institution?” Swendseid posited. “That financial institution may take me offline and may not allow me to continue to do business with them until I’ve addressed that problem. Do I have offline procedures in place to send critical wire transfers? There are all sorts of things that an organization needs to think about and practice.”

But while tabletop exercises are important, Zecca warned treasurers against scenario chasing. “Tabletop exercises are a good practice, but they should target conditions, not scenarios,” he said. “Once in a condition, and with the resources engaged for that condition, you can run all sorts of scenarios against it,” he said.

Of course, no amount of testing can prepare you for the real thing, right? You’re always going to find some flaws in your system, aren’t you? Not necessarily.

Fred Butterfield, CTP, a former treasury manager for a Denverbased RIA technology company, explained that when his former company had to enact its business continuity plan when the area was hit with a blizzard that closed most businesses, shut down streets, and made moving about very difficult, if not impossible. “That day was the first full test of the business continuity protocols by all departments,” he said. “It was completely successful. No one outside of the company knew that things were not completely normal until someone told them. The team that had worked to create the protocols and test them, of which I was one, received individual awards and recognition afterward. All of us had notes on what had worked well and what needed improvement. The continuity team was increased and the plan was refined and documented.”

At the time Butterfield left the company, each department was responsible for maintaining its own documentation and performing its own semi-annual testing. “Documentation of the entire process was reported to the compliance department, who maintained it for audit and regulatory review,” he said. “There were different parts to the plan to cover other natural disasters or other material events, such as floods, fires, power failure, terrorist attacks, etc. As many contingencies were included as could be thought of by the team. A regular annual review of the whole program was done, at a high level, on an annual basis by the compliance department.”

Patterson noted that in 2014, Cox had two separate instances of ice storms that resulted in its Atlanta headquarters being shut down. Atlanta is not known for extreme winter weather, and up until this point, the building had never been closed. Fortunately, treasury had a BCP in place and had practiced using it multiple times. Staff members worked from home, and were able to take care of all the needs of all the businesses Cox supports, which are all over the country. “If you’re in California, you don’t really care what’s going on in Georgia. You just want your money,” she said.

The building ended up being closed for three days each time, but treasury was still able to access every system, financial institution and report it had to. “But we had practiced before that happened,” Patterson said. “I can’t stress that enough. When the event is occurring—that’s not a good time to find out whether your plan works or not.”

Don’t Sacrifice Security

Dont Sacrifice Security

During a cybersecurity session at a recent cash management conference, attendees joked that BYOD (bring your own device) should actually stand for “bring your own disaster”. While it may not always be realistic for a company to provide all of its employees with laptops, mobile phones, etc., working remotely in the case of a black swan event requires employees to connect to the company network—therefore, those devices need to be secure. The more the company can control that process, the better. A company’s plan should never sacrifice the security that it already has in place.

At Allianz, employees who play critical roles in BCP have company issued laptops that they take home every night. However, should they need to log into Allianz at home using their personal computer, they need to use a token, which is issued by the company. Lastly, no one can approve wires through mobile phones. “There is no business need to have to approve wires that way,” Schaus said. “I believe the company issued laptops are the safest.”

Patterson explained that, at Cox, the company provides treasury employees with laptops. Cox also provides iPhones, though some employees do use their own. Employees who use iPads also typically use their own devices. “However, any personal device we use to connect for our email, etc. has to be protected as specified by our IT and security organization,” she said.

Swendseid noted that the risks with a BYOD policy are substantially higher, because it makes it more difficult for the company to control the deployment and management of the device. “Plus there are issues like network monitoring and ongoing software patch deployment, and there are all sorts of policy issues to consider such as if you can you wipe a device that is lost if it’s BYOD,” she said.

However, BYOD can be secure; corporates just need to understand the risks and take the rights steps to mitigate them. Zecca noted that a BYOD capability with the right mobile security apps can make BYOD laptops even more secure than company laptops. “The risk is to the personal data,” he said. “It is possible with external control to freeze the laptop or render it useless due to a possible attack, possibly erasing personal data. But this is the risk that the user accepts when submitting to BYOD protocols.”

It’s Up to Treasury

Its Up to Treasury

Although BCP is not, and should not be, the sole responsibility of treasury, it is an area where treasury must be a leader. Again, who better to make sure things stay up and running than those who truly understand the inner workings of the business? Treasury is heavily involved in risk management, is accustomed to taking an analytical approach to address problems, and is well-versed in compliance — simply put, treasury a perfect fit for BCP.

“The treasury department needs to protect the company because they’re the ones who have the money,” Swendseid said. “If there is any part of a company that needs to be especially well-controlled and provide the most stringent controls, it’s treasury. And if the treasury department is not doing it, that’s just bad business.”

Johnson agreed. “In the end, everything boils down to cash,” he said. Of course companies need to produce and ship their products, but getting the money in the door and paying employees and vendors can’t be taken for granted. “Those things are incredibly critical to the organization and people just assume they happen,” said Johnson. “If you can build a strong business continuity plan around the treasury group, pushing it out further is probably not as hard as you think.”