Where there is business, there will be risk. That is the nature of the beast. But just like businesses, risks are not static, with some rising to the fore whilst others lay dormant in the background. And then an incident erupts somewhere in the world, and those that were dormant are now very active.
Generally speaking, there will be commonalities in the risks that businesses face. The impact that these risks may have on the business is, however, very dependent on the nature of the business, the markets it is active in and a number of other criteria.
In this article, we use the findings from Treasury Today’s 2016 Voice of Corporate Treasury Study to hone in on what the key risks are for treasurers both today and in the future and then take a look at the strategies that can be employed to not only mitigate these risks, but in some instances, turn these into opportunities.
These have not been easy times of late for corporate treasurers. Intense volatility and uncertainty across the commodity and currency markets has become the norm, causing many headaches for practitioners. This challenge has been reflected in our recently published Voice of Corporate Treasury Study, which found that currency volatility and commodity prices currently rank amongst the top five risks for treasurers around the world.
Although the management of market risk is certainly not a new area of focus for corporate treasury, new realities are demanding new approaches. Most notably the need to be proactive in the management of these risks.
The incessant tide of commodity and currency price fluctuations has created a glut of challenges for the corporate treasury department, especially around accounting and forecasting. If these risks are not managed correctly, then these swings can have a significant impact on the treasury operation, creating losses and perhaps even the potential risk of a ratings downgrade and an increased cost of access to capital. The impact can be even more profound on a company’s share price, creating uncertainty in the value of the company and drawing the attention of the boardroom.
But many corporate treasury departments are not in a position to manage these risks sufficiently. “Generally speaking, to manage these risks proactively corporate treasury departments need greater transparency over their asset classes across the business than they currently have,” says Mark O’Toole, Vice President, Commodities and Treasury Solutions at OpenLink. “In doing so they will be in a better position to view their cash and risks in real-time which is crucial.”
Achieving this, as many treasurers will attest to, is very difficult. As they have expanded, companies have seen departments become autonomous units in their own right, adopting their own technology to meet their specific needs. In the finance function alone it is typical for there to be between three and seven different systems in place just to manage day-to-day operations.
When managing risk, treasury will typically extract all this information and enter this into a spreadsheet. “These processes can take a considerable amount of time depending on the complexity of the organisation and the disparity of systems and data,” says O’Toole. “By this point the markets may have changed and treasury will be on the back foot again.”
This is beginning to change, albeit slowly. “The pressures to reduce capital expenditure and increase margins have forced the hand of the treasurer,” says O’Toole. “Gone are the days of running multiple systems to manage day-to-day business operations. Today, it’s all about reducing the number of systems and manpower to operate them, and having the tools to gather detailed insight into activity and gain more predictable outcomes.”
There are numerous players in the market offering holistic risk management solutions that can help corporates achieve this. “The existing base of best-of-breed treasury management system (TMS) and enterprise resource planning (ERP) vendors are continuously developing their products,” says Tobias Westermaier, Manager at Zanders. “On top of that we have seen a recent rise in specialist vendors addressing a specific element of the treasury process.”
Of course, all of these solutions will offer varying levels of functionality so it is important that one is selected which meets the specific needs of the company. But, no matter which solution is selected, it must give treasury access to reliable, complete and consistent data, available on a timely basis. Then, from this base, risk can start being analysed more proactively and holistically, perhaps providing the business a competitive advantage.
Changes in process
Bringing all this siloed and inconsistent data together however, so that it can be viewed through a single window, not only requires a change in technology. It also demands a change in thinking across the company and the need for silos to be eliminated, fostering a cross-functional and holistic approach to risk management.
According to O’Toole, the companies that manage risk best have done this by centralising their processes and appointing a Chief Risk Officer (CRO) who will help drive a concentrated focus on risk across the company. “A CRO, who will have an intimate knowledge of risk fostered over many years, can help create a risk framework, shape the policies and then help all the various business departments understand risk holistically,” says O’Toole. “Typically, risk specialists were once few and far between, often concentrated within the banking sector. However, since the banks have begun deleveraging we have started to see a lot of these risk experts jump to the corporate side.”
The treasury department, with its intimate knowledge of financial risks could be seen as a candidate to take on this role. O’Toole advises however, that whilst this could work theoretically, a CRO typically will dive further into risk than a treasurer typically would, using a raft of complex tools to measure items such as Value-at-Risk (VAR) and potential future exposure. That being said, the treasury should be aligned very closely to the CRO and be a key ally in the management of risk.
With risk centralised at C-suite level, the CRO can work hand-in-hand with other executives within the business to create more sophisticated risk management policies and guidelines than perhaps existed before. Mark van Ommen, Director at Zanders highlights that this is a trend at present: “We are seeing many of our clients creating much more sophisticated policies. They are also looking to leverage outside expertise in order to understand what other companies are doing and the lessons that can be learnt from this.”
However, the creation of policies is one thing; these also need to be closely adhered to for them to be effective. To do this, van Ommen is seeing many corporates building dashboards to track risk performance. “In doing so they are not only tracking traditional key performance indicators (KPIs) but specific key risk indicators, directly related to the risk-bearing capacity of the company.”
Fit for the future
In bringing the processes and technology pieces together, a corporate should end up with a single centralised system that highlights the risk across the entire enterprise in real-time. This will be controlled at a central level by a CRO, but utilised by various departments across the business, all of whom are aware not only of the risk faced by their function, but also that faced by others. And it is from this position that a business can truly begin to proactively manage risk.
“To do this companies can begin looking at stress testing and scenario analysis,” says Zanders’ Westermaier. “In doing so they will be able to see how their business reacts in different scenarios and put in place strategies and processes should these manifest in reality.”
For O’Toole this point is especially important. “Take the example of sterling in light of the Brexit referendum result, there is no telling what level it will be trading at over the coming months,” he says. “But by being in a position to proactively manage risk, you will be able to use scenario testing to see what the impact will be on the business and proactively manage that, no matter which way the currency moves.”
Ultimately, corporate treasurers should be a leading voice in the organisation over the coming years, developing and driving long-term strategic plans based on latest developments and thinking about what the future disrupting factors on the business will be. The risk management policies and procedures should reflect this and be integrated with, embedded in and understood by the wider finance organisation and business as a whole.
Deeply entwined with market risk is geopolitical risk. Indeed, as the world awoke on the morning of Friday 24th June, the British, European and even global political landscape had changed. The (arguably) shock decision made by the British people to leave the EU had opened up a Pandora’s Box of what ifs and maybes.
Brexit immediately sent shockwaves through financial markets across the globe. The pound fell to a 31-year low against the dollar, the world’s major stock markets plunged in volatile trading and bond yields soared in safe-haven government debt.
In the months since then we have seen further financial impact, including a number of investors rushing to pull money out of commercial property, the Bank of England adjusting capital ratios to free up more funding to individuals and businesses and the pound and stock markets continuing to show high levels of volatility. All the while, in the wake of the decision a political vacuum had appeared in British politics, at a time when the Isle was calling out for strong leadership.
Yet, for the corporate treasurer, this was just one of many incidents that have occurred in recent months and years that have required careful attention. Indeed, few would disagree that the world has entered a new stage of political and economic uncertainty, leaving the fortunes of businesses on a knife edge and putting corporate treasurers at the sharp end.
Understanding geopolitical risk
Geopolitical risk is somewhat of a ‘catchall’ phrase that seeks to encompass all risks that are generated as a result of political decisions. These risks may appear in a variety of guises and can impact either individual businesses, specific sectors or the economy as a whole. Some prominent examples of actions that can create geopolitical risk include: war and conflict; changes in governments; regulatory changes; changes in the tax code; currency revaluations; trade tariffs; labour laws; environment regulation; and changes in government spending.
Yet, in some respects, even this definition is unhelpful because incidents such as terrorism, which is not necessarily committed by state actors, also falls under the purview of geopolitical risk. Geopolitical risk may therefore just be one of those ‘you know it when you see it’ issues.
But just because geopolitical risk is hard to define, it doesn’t mean that it is not vital to understand. “The impact of geopolitical risk on corporates is vast,” says Charlotte Ingham, a Principal Political Risk Analyst at risk and strategic consulting firm Verisk Maplecroft. “This risk can be operational in nature, in terms of the physical security of their facilities and staff or the potential disruption to their logistics, or legal, if you look at things like corruption risk and the potential ramifications of violating the US Foreign Practices Act or the UK Bribery Act, as well as financial.”
Beyond the operational and financial consequences, political risk can damage a corporate’s image as well. “There are big potential reputational risks for corporates with operations in countries which have poor records on democratic governance, political violence, or human rights,” adds Ingham.
A changing world
So what are the key geopolitical risks that corporates and their treasury departments need to keep at least one eye on over the coming few years? Unfortunately, no business has access to a crystal ball. The past, therefore, has to be used as an indicator for the future. And there are a handful of megatrends that currently exist in the geopolitical space that are having a large impact on business operations and will continue to do so in the short term at least.
“More than five years since it began, we are very much living in a post-Arab Spring world,” explains Ingham. “While the obvious consequences of this are the greatly increased levels of political violence in Egypt and Libya – to say nothing of Syria – its consequences are being felt far beyond the MENA region.”
Indeed, as we have witnessed there has been a massive outflow of refugees and the significant rise in political violence in Europe and the US due to an increase in the frequency and intensity of terrorist attacks. “These changing conditions not only have implications for the security environment for business, but also for the policy environment,” she adds. “If you look at the extent to which security and immigration have been key themes highlighted in the debate around Brexit, and the way in which increased migration has exacerbated political polarisation elsewhere in Europe, you can see how this issue is creating increased uncertainty for companies operating across Europe.”
Yet, whilst organisations have evidently been impacted by these events, the actions of businesses themselves has also increased their exposure to new geopolitical risks. As Ingham explains: “At the same time as all these events have been unfolding, we’ve seen companies venture further out from home markets and rely on increasingly diffuse supply chains. As a consequence, they face an increasingly complex interplay of political risks.”
For the corporate treasury department regulatory risk is always front of mind given the impact changes in financial regulation can have on its operations. And, globally speaking, the regulatory environment is only increasing in complexity. Indeed, data from Thomson Reuters highlights that in 2015 there were roughly 50,000 regulatory changes made by 600 different regulators around the world. That is 150 regulatory changes every single day. Of course, it is extremely unlikely that all of these impacted the corporate treasury function directly, or even the organisation more broadly. But they may impact another party in the ecosystem, which may then have a knock-on effect.
It is highly likely that this trend will continue. Indeed, Verisk Maplecroft’s Regulatory Risk Index, highlights that 45% of countries are host to extreme or high risk regulatory environment. “The quality, stability and predictability of the regulatory environment is the most significant challenge facing business,” she adds. “Onerous regulation increases both the time and cost of doing business, while ill-defined, poorly targeted and unevenly enforced legislation creates significant uncertainty around compliance requirements.”
One notable example, from a cast of many, where the corporate treasury was directly impacted comes from a move taken this year by the Chinese regulators to limit the cross-border flow of currency through sweeping arrangements. The ‘window guidance,’ (an uncodified regulatory change) put a halt to the cross-border RMB flow, leaving many treasury teams scrambling for answers around what this meant and how it would impact their global cash management operations.
Checklist: Zanders’ tips for successful risk management
- Ensure risk management policies are up to date and fit for the future.
- Ensure the risk management framework supports these policies and is well embedded in the organisation.
- Ensure timely and accurate risk data collection at centralised level.
- Incorporate advanced risk measurement and management models.
- Include non-business risk evaluation into strategic decision making process.
Managing geopolitical risk
Geopolitical risk, in whichever form it manifests, looks set to continue to be a key area of focus for corporate treasury departments and the corporate operation more broadly. So how can this be best managed?
Having an awareness of geopolitical events and ‘hotspots’ that may impact operation either directly or indirectly (ie through the supply chain) is a key starting point. Much of this knowledge can come through keeping up to date with global news and also through an appreciation of the markets the business is operating in. Treasurers operating in China for instance, will be well accustomed to such incidents as the ‘window guidance’ and whilst this was a shock, it did not pose an insurmountable risk to operations.
However, sometimes conditions change very quickly, as was the case during the Arab Spring. These events are more difficult to plan for but there can be tell-tale macroeconomic signs – even in jurisdictions where political risk is not currently high – that can help predict regions where problems may erupt in future. One such example of this is a macroeconomic downturn, in instances such as these governments may become unpredictable and, in extreme cases, become hostile towards foreign businesses potentially impacting their supply chains or even seeing assets seized with little to no compensation.
It must be remembered that corporates are not alone in this endeavour and should look to obtain sound advice, from numerous sources including banks and political risk experts. When matched with the businesses own evaluation it can help to create a robust holistic risk-profile for each market. Moreover, in those higher risk countries, further steps may have to be taken, including: implementing appropriate security measures, engaging with local communities, and selecting lower-risk parts of the country to do business.
No matter what the level of risk however, it is important to have a resiliency plan in place should trouble occur. Here it would be prudent for businesses to identify its essential functions and address the impact geopolitical risk, of varying degrees, could have on customers, employees, and other stakeholders. For the treasury, this may be simply ensuring that payments and collections can continue as normal in the country.
In more recent years, geopolitical risk insurance products have become more popular as a means to protect shareholder value, support growth in foreign markets, and help secure financing from lenders. But some companies are reluctant to discuss such risks until they pose an immediate threat; it is after all a cost that may not be needed. As with all insurance products though, it plays on the fear that by the time an event has escalated, it may be too late.
Credit risk insurance may also be a prudent tool to mitigate geopolitical risk. After all, in times of difficulty and geopolitical risk, risk of non-payment typically follows. This means that not only are the physical assets of the company at risk, so is the balance sheet.
Indeed, a recent report by French credit insurance company, Coface, highlighted how this is a current issue for companies operating in China due to the reforms taking place in the country’s economy and the actions taken by the Chinese government to tackle overcapacity and ‘zombie’ companies. The study highlighted that 80.6% of companies experienced overdue payments in 2015. For the treasury departments of these organisations a cash flow risk is created, which may manifest in late payments being passed down the supply chain, or seeing the need to obtain expensive credit from the banks, both of which cause further risks for the business.
Turning risk into an opportunity
It is also worth noting that where there is risk, there is also opportunity. “There are a lot of challenges, there are also a lot of opportunities if the risks are managed well,” says Ingham. Indeed, those companies who take the risk and begin operating in difficult countries may gain a reputational advantage, should conditions improve, due to their association with the country.
Also, volatility and instability can create market opportunities. Adam Smith Awards Asia winners Larsen & Toubro perfectly highlight this point. 2013-2014 was one of the most challenging periods in recent memory for the Indian economy, but it was one of the most profitable for the Indian conglomerate. Driven by its investment philosophy and an acute understanding of the country’s political and economic standing the treasury was able to generate an alpha of approximately 2.5% on investments worth US$1bn. An increase from the two previous years when markets in emerging economies, such as India, were relatively calmer.
It achieved this by proactively analysing the political and economic landscape in India and using this information to reinforce the company’s short-term investment philosophy. In doing so the treasury team were able to make informed decisions that saw it outperform its expected rate of return and largely avoid any adverse impact from the turbulence affecting the Indian economy.
Ultimately, given the impact that geopolitical risk can have on businesses operations, it would seem wise for executives across the company, including treasury to keep geopolitical risk at the front of mind. In doing so, strategies can be put in place should events take a turn for the worse. And although this may not be enough to insulate the business fully from geopolitical shocks, it will put organisations in a positon to either mitigate the risk as best it can, or take advantage of any opportunities that present themselves.
Cyber: the greatest risk
At the same time that geopolitical risk has become a key concern for business leaders, so has cyber risk. In fact, cybercrime has been described by some as the greatest threat to every company on the planet.
Undeniably the risk to businesses is increasing. For example, in 2015 there were 38% more security incidents detected by businesses than in 2014, according to the latest PwC Global State of Information Security Survey. And it is likely that there will be even more the next time the study is conducted.
Successful attacks can cause significant financial loss to organisations. Although, there are no conclusive numbers, British insurer Lloyds estimate that in 2014 as much as $400bn was lost by businesses through cyber-attacks – including the attack itself, the subsequent disruption to the normal course of business and also fines. And as the number of attacks increases this number is set to swell, with Juniper Research predicting that by 2019 the cost of data breaches will be $2.1trn globally.
For a period of time, many organisations viewed cybercrime as something that would happen to others; this is no longer the case. It is a real risk for all businesses, in every country around the world. And the treasury department, which holds the keys to the company’s financial assets – a key target for cybercriminals – has an important role to play in ensuring it does it’s bit as the caretaker of these assets.
What are the threats?
A prudent place to start for any treasury department concerned about cybercrime is to learn about cybercriminals and their methods. Where once cybercrime was committed by nation states, tech-savvy individuals and hacktivists, today cybercriminals are highly organised and committing cybercrime on an industrial scale. KPMG use the phrase ‘shadow corporations’ to depict this and to illustrate how they operate in much the same way as any other company – albeit illegally and unethically.
As cybercriminals have evolved, so has the data that they are targeting. “For the most part cybercriminals used to target intellectual property, state secrets or financial data such as credit card numbers, for instance,” explains Joshua Goldfarb, VP, CTO – Emerging Technologies at FireEye. “Although they still do this, their focus has shifted towards targeting personably identifiable information such as customer data, partner data, employer data and so forth, which can be more valuable.”
How the attackers seek to obtain this information is also ever changing. Cybercriminals have moved away from the ‘smash and grab’ approach where they would use malicious code bundled in malware in an attempt to breach the company’s cyber-security and extract the required information – which they still do to a certain degree. “Today they are far more sophisticated and are looking to steal a user’s credentials, enabling them to operate inside the company’s internal IT systems masquerading as a legitimate user, prolonging the attack and allowing a greater amount of damage to be done,” explains Goldfarb.
No matter which method cybercriminals use to attack a company, if they are successful in targeting the financial assets there are numerous issues which may occur for the treasury department, including: the severe disruption of operations, stolen data and of course, potential losses from fraudulent payments. Moreover, even if the financial assets are not targeted, then treasury may still potentially be called to action should the business receive a fine due to the loss of personal data – the European Parliament have proposed that businesses that do so are to be fined 100m euros or 5% of their global annual turnover.
If the direct financial consequences of poor cybersecurity are not enough to make businesses sit up and take notice, the reputational damage that may also be incurred just might. British telecoms group, TalkTalk, for instance, were victim of a cyber-attack that saw hackers steal the personal data of 20,000 customers. In the week following the attack over 200,000 tweets were made on the topic and a great deal of negative sentiment was built up. Customers also voted with their feet, losing 101,000 customers.
Checklist: fending off cyber-threats
In order to align treasury procedures with the most efficient security standards, the following outline some of the fundamental procedures to check you have the best chance to mitigate the risk of cyber-attacks:
- Do you have a security programme in place, either with treasury’s own IT department or a provider?
- Are they working to ensure the correct security frameworks are in place for defining policies, procedures and controls?
- Have you engaged with all relevant security teams (your company’s and any providers)?
- Are they proactively minimising threats posed by cyber-criminality?
- Are regular audits and tests being carried out?
- Is the department aware of the latest security technologies and continually updating security procedures to maintain effectiveness?
- When changing legacy technologies, are security measures being adapted to integrate new solutions (mobile devices, for example)?
- Should the worst happen do you have business continuity plan in place?
On the defensive
Having a robust cybersecurity strategy in 2016 is clearly a must. But in the view of Goldfarb, the changing dynamics of cybercrime is presenting a significant challenge to organisations. “The attackers and their methods have changed, but organisations haven’t and many still approach cybersecurity no differently from how they did 20 years ago,” he says. “Companies think that by using advanced firewalls and locking everything down they will be able to keep people out. This is not the case, even the best defences can be broken down if somebody is fully determined to get in.”
As a result, companies need to pivot their thinking and whilst it is recommended that they keep doing all they can to keep malicious actors out, they should also accept that intrusions will occur. “Organisations have to approach cyber risk strategically and be able to quickly recognise when cybercriminals have entered into the company’s systems and act prominently to stop the intrusion before it becomes a breach,” adds Goldfarb. “A robust detection and response process is vital to achieve this.”
For the treasury department this is especially important as recognising a cyber breach in good time can potentially prevent a significant financial loss. For instance, if malicious payments are being made and these are spotted early by the treasury team, the bank can be contacted and there will be a good chance that these can be reversed. The longer this process takes however, the less chance the bank has to reverse the payment. Best practice reconciliation is vital here. If a company can reconcile intra-day, or even daily, the better chance it will have of noticing these illegitimate payments.
The banks are also beginning to offer solutions that help mitigate the risk of payment fraud being committed by malicious actors. Typically, these solutions work by utilising a corporate’s historical payment data and a number of predefined rules that work together in order to flag up any irregularities in the payment being made. Therefore, if a fraudulent payment slips through the corporate’s own due-diligence work, it will be flagged up as soon as it hits the bank’s system should there be any irregularities such as a changed account number, beneficiary name, or a significant increase in the value of the payment in comparison to historical equivalents, for instance.
Whilst not a strategy to mitigate the risk of cybercriminals causing damage to the company, cyber insurance can be a way to limit the losses incurred. Typically, cyber insurance works by covering the losses relating to damage to, or loss of information from, IT systems and networks. According to the Association of British Insurers these policies can cover first-party risks, shielding the businesses own assets such as cash, or third-party risks, which covers the assets of others (customers, for instance) including the investigation, defence costs and civil damages associated with cyber-breaches.
Today they are far more sophisticated and are looking to steal a user’s credentials, enabling them to operate inside the company’s internal IT systems masquerading as a legitimate user, prolonging the attack and allowing a greater amount of damage to be done
Joshua Goldfarb, VP, CTO – Emerging Technologies, FireEye
Demand for cyber insurance has grown in recent years, according to Inga Beale, CEO of insurance firm Lloyd’s, who told Fortune magazine that in 2014 “the insurance industry took in $2.5bn in premiums on policies to protect companies from losses resulting from hacks. That was up from around $2bn a year before, and less than $1bn two years before that.”
It must be remembered, however, that although these products and strategies can help to mitigate cyber risk, it is people that are a businesses’ first and last line of defence. The aforementioned PwC survey, for instance, indicates that in 2015 two-thirds of incidents occurred because of the actions of current or former employees.
And cybercriminals are only becoming more sophisticated in how they pray on human frailty to breach a company’s defences. Phishing emails, for example, are now more realistic and often are construed after careful investigation of the target through social media and other channels. As a result, these traps may only become more difficult to avoid in the future.
Education about the risks and how they materialise is therefore vital. A company can do all it can with technology, but ultimately if a member of staff falls foul of such an attack there is not much this technology can do. Companies therefore need to start working to build a cyber conscious culture across the entire organisation. This should be led from the top down and ensure that all members of staff, no matter what level, have the ability and means to question anything they feel is suspicious.
It is only when a company employs the right mixture of people, processes and technology that it will have the best chance of warding off any unwanted cyber activity. And if your company hasn’t started doing this yet, it should start before it is too late.