The impact of treasury operational lapses

Business continuity management (BCM), contingency planning or disaster recovery planning (the terms are used interchangeably) is of growing interest to stakeholders such as customers, lenders, rating agencies and shareholders because it provides reassurance that the company is actively managing risk.

As for any critical business operation, treasury should develop, maintain and regularly test a disaster recovery and business continuity plan. For the treasurer, business continuity risk has two levels of impact:

a) the primary impact on financial flows because of:

• an externally generated shock to financial markets, e.g. terrorist attack
• an internally generated shock, e.g. a ratings downgrade due to a covenant breach
• an interruption to treasury operations

b) the secondary impact on financial flows because of an internally or externally generated interruption to the production or sale of the company’s products or services.

The plan should enable the treasury department to resume its daily responsibilities with immediate effect in the event of a partial breakdown of facilities or the inability to access the building. It should be developed in close conjunction with the IT function.

Because of the diverse nature of risks covered by BCM, many of them specific and company-dependent, it is difficult to be prescriptive in detail. But like any other risk, you can use the risk management framework to develop BCM policies:

• identify risks by defining adverse scenarios and consequences as fully as possible
• assess and evaluate the risks by quantifying the probability and impact of each adverse scenario
• develop responses to each risk, balancing prudence and cost of each response to the probability and impact of the risk -formalise risk responses in policy, ensuring that they are clearly defined:
  • actions and procedures required to respond to each adverse scenario
  • management responsibilities
  • procedures to periodically test the response process
• the BCM reporting system and feedback process must keep management up to date and alerted about the status of potentially adverse scenarios
• feedback in the framework should be used to periodically update the policy to incorporate changes in external and internal circumstances.

The plan needs to be tailored to the circumstances of the organisation and will depend on an assessment of the materiality of the risks, the required speed of recovery, the availability of back-up within the organisation, and the budgetary constraints of buying in standby arrangements from outside. Any disaster recovery plan should be communicated to the company’s banks and tested periodically.

Reporting, audit and review

The purposes of reporting in the context of controls is to:

• demonstrate that treasury and organisational policies are effective
• highlight new risks that may arise
• ensure existing internal controls are working effectively ensure existing internal controls remain adequate.

Reporting is usually on an exception basis for operational risk, but because the risk arises in, and is reported on, by the same department, management should also seek independent review. It is increasingly common for the treasury function to be formally audited on a frequent basis either by internal audit or external audit, or both.

The role of internal audit is to understand the risks and controls of the company and monitor the latter for their effectiveness. In specialist areas such as treasury, internal audit may require third party support to access appropriate expertise.

If internal or external auditors raise issues it is essential that these issues are addressed promptly and effectively, and that the auditors confirm that appropriate action has been taken.