Published: January 01, 2000
From major disasters, such as hurricanes and tsunamis, to everyday disruptions, such as extended illness and theft, corporate treasuries need to be ready for any interruption affecting their day-to-day operations. Business Continuity Planning (BCP) is the process used by companies to prepare for a wide range of disruptions before they happen, enabling the enterprise to resume normal operations as quickly as possible. This article explains the importance of BCP for treasury organisations and outlines the four stages involved in developing a new, or refreshing an existing, continuity plan.
In recent years, companies around the world have learned to expect the unexpected. Many have developed sophisticated contingency plans to cover a wide range of possible disruptions. For corporate treasurers, this process is particularly important; any disruption to normal cash management activities – for example, the failure to make payroll on time – could have significant consequences for the company.
As such, undergoing a robust BCP process is particularly important for the treasury organisation. The objective of BCP is to develop a plan that enables companies to resume normal operations, within a specified timeframe, in the event of unforeseen changes in the company’s operating environment. The scope and content of the plan should be determined by the perceived threats and risks the company faces, as well as by the size of the business.
The time and effort that a treasury team invests in the BCP process will be reflected in the quality and effectiveness of the plan. In order to keep the plan relevant, it needs to be reviewed regularly by the treasury team and amended to reflect any changes to the treasury’s workflow and resources.
At one time, BCP was called ’disaster recovery planning’. The focus at that point was on restoring normal operations after a natural or man-made event, such as a fire, flood, snowstorm, hurricane or blackout.
While these events can certainly halt normal operations, business people have since realised that their companies face many other threats that were often not planned for in the past. These include cyber-attack, sabotage, theft, retirement, extended illness, short-term and long-term disability, military service and normal employee turnover.
Today, BCP is carried out with the understanding that trouble may come in many different forms – and that a contingency plan should take into account all possible disruptions.
A business continuity plan is not something that can be developed when a crisis is already under way. Planning what to do before it is needed can be the difference between successfully managing through a crisis or being brought down by one.
A business continuity plan is usually developed by following these four steps:
1. Business impact analysis
2. Risk assessment
3. Plan development
4. Testing and assessment
During the discovery process, the treasury team works to identify specific events that could disrupt their company’s day-to-day operations, as well as the effect that each event could have on treasury processes, systems, personnel and resources.
The following three scenarios can form a useful starting point:
1. Entry into the physical workplace has been denied, but systems and data can be accessed.
2. Access to systems and data has been denied, but the physical workplace is accessible.
3. One or more key personnel are absent from work for more than 30 days.
The team should not spend time analysing the probability of any of these scenarios happening during this stage, as this will take place in the next step. Their focus at this point should be on identifying the circumstances that would lead to the business continuity plan being implemented.[[[PAGE]]]
During the analysis period, the team should review every aspect of normal operations and assess the business impact of each interruption or absence. Treasury interacts with, and depends upon, many other functions and individuals within the organisation, so these parties should be consulted regarding their own contingency plans and the treatment of any activities that relate to treasury operations.
Once the treasury team has identified the scenarios under which the BCP would be activated, the next step is to assess the probability of occurrence for each scenario. For simplicity, probabilities can be assessed using three labels: low, medium and high.
While assessing probabilities, the team should consult with in-house experts. For example, the corporate real estate team can advise whether the office is located in a flood plain. If so, what is the probability the office would be closed following a severe rainstorm or in the aftermath of snowmelt?
Next, the treasury team must assess the impact of each scenario upon the processes, systems, personnel and resources required to maintain day-to-day operations. The accessibility, functionality and effectiveness of each of these elements should be assessed with a low, medium or high impact.
Once the probability of every scenario and the impact upon every process, system, person and resource has been assessed, the resulting data is used to populate Table 1.
The treasury team can then reassess the ranking of critical activities performed in the business impact analysis phase. A gap analysis – an exercise that identifies the steps needed to get from the current state to the desired state – should also be performed to determine whether the existing policies and procedures are adequate to help the team recover and resume normal business operations. If not, the gap must be addressed and the BCP modified accordingly.
Having identified and assessed the risks, the treasury team is now ready to begin developing its new BCP, or refreshing an existing one. The plan must exist in written form, and should be reviewed and approved by the CFO and the designated leader of the organisation’s business continuity programme.[[[PAGE]]]
The BCP should include:
Information should not be based solely on the assumption that normal operations will resume quickly. The plan should include all the information necessary for performing normal operations, regardless of how long the disruption lasts. It should be stored in multiple locations, including several offsite copies.
Periodic testing is required in order to keep the BCP up to date and relevant. The testing plan should cover all of the processes and systems currently used by treasury, and be amended if any changes are made to the treasury’s normal operating procedures or the BCP.
The testing programme document should specify who is responsible for conducting the test and evaluating the output. Actual results should be compared to the expected results, and any discrepancies should be identified. The treasury should then address the discrepancies – and if necessary, schedule additional testing before the next periodic test.
The results of each test, and the proposed corrective action, should be reported to the treasurer and CFO. It may be appropriate to have the testing programme reviewed by an independent third party.
The objective of BCP is to give treasury the tools needed to manage successfully through a crisis. By following this four-step framework, the treasurer will be in a better position to make informed decisions and resume the operation of critical functions as soon as possible once a disruption occurs.
How Thought Leadership Can Reduce the Cost of Sales by Patrik Havander, Havander & Partners A focused attention on the costs incurred by the global sales and marketing processes is becoming increasingly important for corporate banks and their transaction banking departments. While the client/bank relationship remains vital, research has shown that in fact relationship selling […]
