Could your business continuity plan survive a natural disaster?
Natural disasters are unpredictable and costly. The damage can be devastating, especially if you’re not prepared.
If there is a business lesson to be learned from natural disasters, it’s the importance of appropriate and ongoing business continuity planning (BCP), a strategy for keeping an organization operating during an unplanned event, such as an earthquake, hurricane, or any other natural disaster. According to a 2017 survey by CFO Research, just 33% of senior financial executives felt their organizations were prepared to recover from a natural disaster.
Reports of loss should remind treasurers and financial professionals to always test and refine the effectiveness of their plans.
Here are 4 simple best practices to remember when testing the integrity of a business continuity plan:
1. Don't chase scenarios: In general, hurricane evacuation plans are simply to drive out of the area. While historically this has been an effective strategy, all scenarios are different, and that is the point of business continuity planning. Don't plan for the scenario, plan for the potential loss. And, the loss condition is that the treasury team is unable to access the office for several days, several weeks, or possibly ever again. It doesn't matter why they can't get to the office.
2. Working remotely may not always be possible: Many business continuity plans are built around the ability to work from home, the coffee shop, or at worst a nearby hotel. But in some situations, you could just be stuck in traffic trying to leave the state. So that leaves working from a vehicle. This is possible with a cloud treasury management system (TMS) and a smart phone, although even then, it may not be a sustainable strategy for more than emergency treasury activities.
3. Substitute treasury personnel: Effective business continuity plans will include the possibility that treasury functions need to be performed by other people for short and longer-term periods. Again, the scenario (e.g., hurricane evacuation) doesn’t matter. A contingency for people from other locations continuing treasury operations must be built into planning. Again, this can be accommodated by a cloud TMS that is very well documented – ideally within the actual configuration of the system to simplify onboarding of new personnel.
4. Prioritize security: One of the biggest fears for chief information security officers (CISOs) is that information security practices in an emergency are inconsistent with the security controls during normal operations. The reason for this fear is simple: If security was lesser in an emergency condition (e.g., the power or internet goes out to the head office) then opportunistic cybercriminals might be more inclined to try to exploit this scenario.
For treasury, business continuity security requirements must include:
- Application security: What information is required for personnel to access treasury and payment systems? Is multi-factor authentication a requirement when logging in from outside the office? How are logins without appropriate credentials, requests to reset passwords, or even login attempts from suspicious locations managed?
- Payment controls: Payments are the biggest target for obvious reasons. Policies for initiation, approval and documentation of payments must be followed in emergency situations – for all types, amounts, and geographies. Any inconsistency is ripe for exploitation by cybercriminals who test these defenses through spear phishing and other information-gathering techniques. Use security options like two-factor authentication (2FA) for payment approvals.
- Payment screening: In addition to standard payment controls, treasury teams should consider internal and external payment screening. External screening requires real-time screening of payments against sanction lists such as OFAC. Internal screening consists of real-time matching of payment details against company-defined rules, looking for irregular or suspicious payment activity. Examples could be a payment to a newly changed bank account, multiple payments that cumulatively exceed a payment limit, or supplier payments modified after import from the ERP. Screening against these possibilities and a forced workflow to resolve various threat levels is critical to preventing payment fraud in emergency situations.
Effective business continuity planning is a critical process, especially as the threat of fraud and cybercrime increases. Business continuity is not just for those affected by natural disasters – human- or system-initiated attacks must also be considered to ensure your treasury processes, people, and information are not threatened. Treasury is too critical to be unavailable to your organization for any period.
- Infor Treasury Management
- North America