Whilst a crisis may not happen to every company, if minimal preparation is the route a corporate opts for, then, in terms of being able to best manage a recovery, they are inevitably placing themselves in a vulnerable position. Treasury is no place for finger-crossing or complacency when it comes to risk management and putting in the groundwork is key for business continuity.
A lot is at stake when a crisis hits – which, as recent times testify, can happen to even the most competent and unexpected of organisations. When an Australian cloud-based software provider got into financial trouble recently, administration bore the responsibility of telling all of the company’s clients that the treasury systems they had in place would be turned off in a month!
Whilst this may seem like an uncommon occurrence, it is one that illustrates a point around keeping alert to any potential source of disruption – including one of your key business partners experiencing a crisis: “You’ve got to challenge the status quo and continue to look at your assumptions,” says Glen Giffen, Head of Sales for Visual Risk. It may be a case of ‘once bitten, twice shy’ for those particular corporates who were on the receiving end of the software vendor’s own crisis but, for others who are yet to experience such misfortune, to assume that it probably won’t happen to you, and therefore avoid preparation, is a dangerous move.
While it is true that crises sometimes cannot be avoided, it is also true that the outcome can be influenced. The nature of a crisis (which specialist consultancy firm Steelhenge defines as an inherently abnormal, unstable and complex situation that represents a threat to the operations, strategic objectives, reputation or survival of an organisation) is best countered by having procedures already in place. Crises may also not be as uncommon as you think and include: natural crises, causing the loss of workplace accessibility or even total loss of real estate, for instance; technological crises involving single or multiple system failures; and crises of malevolence.
Prefer to prepare
Corporates should be looking to place themselves in the best position should a crisis – natural, financial or otherwise – occur. As Dominic Cockram, Managing Director of Steelhenge Consulting, explains: “When a crisis arises, it is a complex and chaotic environment – usually fast moving. Because the time to respond is precious, you therefore need to have planned beforehand and be prepared so you can react quickly, effectively and decisively.”
Business continuity and disaster recovery (BC/DR) plans are – although most companies hope they will never need to use them – the best course of action in terms of preparing for seemingly random yet potentially disastrous events. Of course, there is a thin line between preparedness and paranoia when it comes to planning, but a business continuity plan should help minimise the latter. It is a means of enabling companies to help themselves prepare for the worst and be able to recover, as well as sustain operations during and after an event as quickly and cost-effectively as possible. Essentially, a BC plan is a fully-documented agreement between management and key personnel (with the buy-in of all staff) that is taken in advance and which covers the steps the organisation, and particular individuals, must take to ensure critical operations are protected.
At its most fundamental level, a BC plan could be the difference between survival and failure. Even in purely commercial terms, being prepared limits the possibility of having to call for (expensive) assistance in a state of desperation. Moreover, “those that are prepared tend to be seen in a very positive light by their investors, and the business is seen as being well led. Those that fail to prepare instead show a lack of foresight and share prices suffer accordingly,” says Cockram.
The attitude towards crisis planning, however, is mixed. “Many businesses operate in high risk industries and take crisis management seriously, partly because regulation may require them to. On the other hand, some corporates are complacent and end up suffering pain when something does go wrong,” explains Cockram. It is important to understand what would constitute a crisis for your business and to ensure the core of your BC plan is sufficiently flexible to cover a multitude of unpredictable scenarios, offering sufficient protection against internal impacts across multiple geographies from local to global, as appropriate.
BC must also consider the external impact, including the likely effect on key business partners and the ramifications of their failure to operate on your own business and the impact of your failure on theirs. A BC plan therefore is best seen as a living, evolving and regularly tested strategy that will give a business the best chance of survival – should the worst happen. Disaster recovery (DR) plans fit into the picture typically as IT-driven procedures that focus on the recovery of software, hardware and data within the BC plan. The aim: to, at least, allow resumption of critical business functions following an event.
Overcoming stumbling blocks
Properly executed, these stages can provide a business with reassurance that it is prepared for the worst. However, a common problem is that within a company there is often no clear ownership of DR. There is a tendency for business operations people – including those in treasury – to assume that another department will take care of it, typically IT. Even if this is the case, colleagues in IT may not always fully understand how critical each business operation is. Thus, no operation should work in isolation when it comes to BC/DR plans. Of course, SaaS-based TMS providers would also have a duty to its clients to provide DR as part of the deal, but it is ultimately the clients’ responsibility to know what to do in the event of a disaster.
So, what is best practice? Wherever possible corporates should be looking to bring BC/DR processes into daily operations, rather than drafting an impressive plan which is subsequently forgotten about. Indeed, a recent report by the International Federation of Accountants (IFAC), ‘From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organisation’, advises against a stand-alone risk management function, citing the poorest risk management as “characterised by reactive crisis management once something has gone wrong.”
Proactive then, is the way for corporates to be. For Steelhenge, development of a crisis management capability is best described as a three-phase cycle involving: pre-crisis planning and preparation, crisis response and post-crisis recovery. The consultancy firm believes pre-crisis preparation should include:
Horizon scanning and risk assessment. Ongoing processes to develop systems that gather, monitor and interpret information that will give early warning of the potential problems.
Response structure. The structure of response staff should be based around the need to provide strategic guidance. Transparency in role assignment and responsibilities is required and the documentation of BC/DR should have a clear ‘lead of governance’.
Gaining experience and validation through rehearsal. Rehearsing the actual response processes within a realistic environment is, according to Steelhenge, “the only real validation of an organisation’s crisis response capability.”
Should the worst happen, crisis response involves the following (all of which are made significantly easier with the existence of a plan):
Information management and situational awareness. Initially, there may be confusion surrounding the details of the event. Therefore, the team must quickly gain a clear understanding of what has happened and what could happen next.
Strategic thinking. Intrinsically linked to the aforementioned point, those who are responsible for business critical decisions need to have the best and most up-to-date information at their fingertips.
Leadership. There must be an identified leader with recognised decision-making authority and accountability. But remember: not everyone is cut out to be a leader in a time of crisis.
Crisis communications. Although the media spotlight is not directly relevant to the treasury function, key players have to inform and update the relevant people on developing financial and operational impacts. Where crisis communication is key for treasury, however, is in the information they provide to shareholders and relevant parties.
The recovery phase involves dealing with the longer-term impacts, taking the crisis as a learning curve and driving any necessary change to avoid mistakes being repeated in the future. This stage should not be underestimated in its complexity and, depending on the nature of the crisis, could take longer than expected.
The cloud and crisis management
Cloud computing technology, where a large number of computers are connected through an internet-based communications network, has begun impacting the treasury function in a number of ways, including (and increasingly so) in BC/DR. The cloud allows companies to keep their backed-up data in several different locations and offers the benefits of both reduced cost and recovery time compared with some traditional solutions. But it is still important for solutions to be tailored to clients’ needs. Visual Risk, for instance, offers local backups carried out on a regular basis (something clients previously with the Australian cloud-based solution provider that ran into financial trouble requested). “Ideally you would have a combination. That is, if your BC/DR is cloud-based, you should also look at having local backups being made or backups to another site being made periodically,” says Giffen.
Best practice regularity
You’ve got a plan in place and the company has spent significant time running through the simulation; you could reasonably assume you’ve done all you can to prepare for a crisis. But, as is well documented, the corporate world is continually evolving, as are threats to its stability. In order to avoid your crisis management capability getting left behind, Giffen reminds corporates “to have a regularly scheduled review of the parameters and stress test uses to see if they are still relevant. There is an onus to continue to re-test the assumptions you’re using.”
To this end, Visual Risk offers its clients the capability to run ‘what if’ scenarios and, according to Giffen, this is an absolutely crucial part of the process, to stress test your positions and understand what would happen in the case of a crisis. “For example, in a financially-driven crisis, you can use a statistical based measure – such as cash flow or Value at Risk (VaR) – to see what would happen in a number of scenarios (if interest rates moved in a particular way or a certain currency collapsed in value, for instance). This will effectively tell you what would happen with 99% confidence, after which you can overlay a scenario in a complementary way which sits outside that 99% and pushes the envelope.” Whereas statistical measures have boundary conditions, these ‘what if’ scenarios can test beyond what you would typically expect to see. “Try and come up with situations perhaps you thought may never occur,” adds Giffen.
Whoever is entrusted with BC/DR, internally and externally, it is essential for all concerned to have the required skills to be able to execute the plan in an emergency. An assessment of suitable third-party providers must be carried prior to engagement, but to ensure readiness of all concerned internally, the plan – and how to best realise it – must become part of company culture. As Cockram concludes, “after a crisis, you want to be able to say (and evidence) that every effort was made to prepare beforehand.”
Cloud provider checklist
Do you know and trust the provider? Are they reputable?
Does the provider have adequate provisions to back up its own data?
What happens when your contract expires or if you choose to change providers?
Does the solution meet not only your technical requirements, but also your business requirements, including regulatory compliance in the regions in which you operate?
Does the cloud solution allow you to meet your auditing requirements?
What mix of cloud and traditional solutions is appropriate for your business environment?