“Building Treasury’s Business Resiliency Strategy”
A Treasury Management Perspective on
Business Resiliency
Prepared for
May 29, 2013
Craig S (“Sandy”) Saxer
Senior Vice President
PNC Treasury Consulting Group
NY Cash Exchange 2013
The Importance of Business Continuity Management

“By failing to prepare you are preparing to fail.”– Ben Franklin

"The only thing harder than planning for an emergency is explaining why you didn't.”
-
Unknown

“While no plan can guarantee success, inadequate plans are proven contributors to
failure.”
-US Department of Homeland Security, Nationwide Plan Review Phase 2 Report June 16, 2006

“Business continuity is not a project with a beginning and ending date, it is a program to be
managed indefinitely.”
-Business Continuity Management

The treasurers we identified as most effective, for example, regularly test the business
continuity plans that keep treasury operations running through unforeseeable catastrophic
events, -McKinsey & Company ( “Five steps to a more effective global treasury”, McKinsey on Finance # 42, Winter
2012 )

Natural disaster, IT outage or industrial action are the disruptions that make headline
news. But disruption also includes staff illness or local events that affect your supply chain.
–TalkingBusinessContinuity.com
2
Trends for the Treasury Department’s role
Companies are calling on treasury
departments to do more related to
managing risk..
Source: CFO Magazine/2006 AFP Strategic Role Survey
Source: 2012 AFP Treasury Benchmarking Survey
3
Trends for the Treasury Department’s role
Source: 2012 AFP Treasury Benchmarking Survey
4
Trends for the Treasury Department’s role
Source: 2012 AFP Treasury Benchmarking Survey
5
What is Business Continuity Planning?
It is a process to ensure the maintenance of critical operations
when confronted with adverse events related to:
People
 Labor Strike
 Infectious Outbreak
 Extreme Weather
 Transportation Outage
It consists of 4 Components:
Technology
 Power Outage
 IT/Network Failure
 Telecom Failure
 Sabotage
Facilities
 Fire
 Workplace Violence
 Natural Disasters
 Hazardous Materials
Supply Chain
 Suppliers
 Customers
 Payment Channels
6
Business Impact Analysis (BIA)
Prioritizing the recovery of a business and its services through the identification
and assessment of potential impacts. Simply put, it is defining what and when the
Company’s business should be recovered based on the potential risks and costs
of a business disruption.
7
Business Impact Analysis
Business Impact Analysis (BIA) identifies the effects and impacts of interruption on
the viability and vitality of operations and critical business functions, especially
financial activities, including maintaining collections, processing payments,
BIA
operating a supply chain, handling payroll.
Identifies your requirements for continuing your key functions
PEOPLE
PREMISES
PROCESSES
PROVIDERS
8
o
o
o
o
Key Staff
Key Skills
Expertise / competence required
Minimum staffing levels required to continue / recover
key functions
o
o
o
o
o
o
o
Key facilities
Key Equipment
Key Resources
Specialist Equipment
Security / restrictions
Alternative sites
Alternative facilities
o
o
o
o
o
o
Key processes
Critical periods
Key IT systems / applications
Key documentation / data
Record keeping requirements
Key communication requirements
o
o
o
o
Key dependencies (supply and receipt)
Key suppliers
Key contractors / service providers / suppliers
Reciprocal arrangements in place with other
organisations
Risk Assessment
Identifying and assessing the likelihood and impact of potential threats to Your
Company. Threats include various scenarios that could lead to the loss of
technology, human capital, facilities or the Company’s suppliers.
9
Risk Assessment
Source: Federal Emergency Management Agency (FEMA)
http://www.ready.gov/risk-assessment
10
Top Threats to Business Continuity in 2013
Level of Corporate Concern
Unplanned IT/Telecom Outage
70%
Data Breach
66%
Cyber Attack
65%
Adverse Weather
53%
Interruption to Utilities
50%
0%
10% 20% 30% 40% 50% 60% 70% 80%
Source: The Business Continuity Institute: Horizon Scan 2013 Survey Report
11
Top Emerging Threats to Business Continuity
Which of the following trends or uncertainties are on your radar for
evaluation in terms of their business continuity implications?
Source: The Business Continuity Institute: Horizon Scan 2013 Survey Report
12
Distributed Denial of Service (DDoS) Attacks

DDoS is an attack on a computer/server or its
resources and thereby making it unavailable to
intended users.1

Massive volumes of data
–
Up to 70 Gigabytes/second 2
 Equivalent to 1.9 DVDs per second, or
 1,750 iTunes songs per second
Prime Target: Banks

–
–
–
64% of banks have been attacked
48% of banks have had multiple attacks
78% expect continued or increased
activity in 2013
Other Major Targets:

–
–
Sources:
1) Wikipedia
2) www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iranus-officials-say.html
3) AFP Fraudwatch: 1-28-2013
4) Prolexic Quarterly Global DDoS Attack Report Q4 2012
13
3
4
eCommerce sites
Software-as-a-Service (SaaS)
Organizations
Resiliency Planning and Mitigation
Documenting business and technology response and recovery plans. Recovery
plans are developed to be flexible to respond to a multitude of different threats.
In some instances as gaps in plans are identified, mitigation strategies are
developed and implemented to improve the ability to recover.
14
Using the BAI to Build a Plan
BIA
Business Continuity Plan
Identifies your requirements for continuing your Documents how your requirements identified in the BIA
key functions
can be achieved
PEOPLE
PREMISES
PROCESSES
PROVIDERS
PROFILE
o
o
o
o
Key Staff
Key Skills
Expertise / competence required
Minimum staffing levels required to continue /
recover key functions
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Key facilities
Key Equipment
Key Resources
Specialist Equipment
Security / restrictions
Alternative sites
Alternative facilities
Key processes
Critical periods
Key IT systems / applications
Key documentation / data
Record keeping requirements
Key communication requirements
Key dependencies (supply and receipt)
Key suppliers
Key contractors / service providers / suppliers
Reciprocal arrangements in place with other
organisations
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Key stakeholders
Legal / statutory / regulatory requirements
Vulnerable groups
Source: www.talkingbusinesscontinuity.com
15
Notification / invocation procedure / protocol
Management structure for dealing with an incident
Information and advice to staff (response procedures)
Key staff / contact list (including out of hours details)
Multi skill training in key areas
Reciprocal Arrangements to cover staff short falls
Home working
Staff welfare issues
Loss / damage assessment
Site security
Relocation arrangements / protocol
Inventories of equipment/ resources and details of how to
recover these
Salvage, site clearance and cleaning arrangements
Action cards for recovery of key processes
Checklists
Copies / Back-ups / safe storage (recovery procedure)
Contingency procurement arrangements
Documented manual procedures
Data recovery procedures
Contact details for key providers / contractors / suppliers /
support services
Alternative suppliers (required for key functions)
Alternative providers (required for key functions)
Alternative contractors (required for key functions)
Resilience capability of suppliers / provider / contractors to
business disruption
Third party business continuity arrangements
Communication strategy / plan / procedures
Stakeholder liaison (regulator, clients, unions)
Media liaison
Public information / advice
Notification of at risk groups / alternative care arrangements
U.S. Postal System: Anticipating Change

The USPS financial problems have been widely publicized and continue to
mount

In response the USPS has embarked on an aggressive two year plan to
modify service levels and align capacity with demand

–
46 plants consolidated by August 2012, 94 more in early 2013
–
Reduction of the two day service delivery area from ≈ 500 miles to ≈ 250
miles
–
Elimination of overnight delivery of 1st class mail in 2014; 89 more plants to
close
Remittance Mail to be handled on an expedited basis with prioritized Zip
Codes, National Firm Holdout and extended caller services
The impact on Lockbox mail in 2012 was limited
16
U.S. Postal System: Anticipating Change
https://ribbs.usps.gov/modernservicestandards/ssmaps/find_map.cfm
17
U.S. Postal System: Anticipating Change
18
U.S. Postal System: Anticipating Change
 The USPS recently announced it will eliminate door-to-door mail delivery on
Saturdays, effective August 5, 2013
– Move will save the USPS $2 billion annually
– This may still require Congressional approval
 USPS will continue to process mail on Saturdays, it just won’t have its mail carriers
delivering it door-to-door
– Large lockbox providers like PNC will not be negatively impacted, as we can
continue to retrieve mail from the Post Office as we have traditionally done
– Clients should not eliminate weekend processing
 The float/availability gap between those who utilize a lockbox and those who do
not will likely widen as the Saturday change and future consolidations occur.
19
U.S. Postal System: Anticipating Change
General observations of changes to date:
 Wednesday mail declining; Sunday mail moving to Monday
 Mail arrivals patterns have shifted to later in the day
 The two day delivery area is shrinking; more mail moving to three day
Expectations related to upcoming changes:
 Some businesses might benefit from adding additional lockbox locations
 Companies still receiving mail in-house will be impacted more dramatically than those
using lockbox
 Clients with early final deposit deadlines may wish to consider adding later deposit
deadlines
 Encourage electronic payments and evaluate invoicing methods
20
Risk Monitoring and Testing
A critical component to the life cycle of resiliency is to demonstrate or validate the
Company’s ability to recover at the time of a crisis or event. Recovery plans
should be exercised in a testing scenario. It enables the business to identify
potential gaps or risks in the recovery plans before an actual incident occurs, thus
reducing the risks of a delayed recovery in a live event.
21
Monitoring and Testing the Continuity Plan
According to Forrester Research1:

≈ 45% of business unit owners are not involved in plan testing

≈ 57% of business unit owners are not involved in training and awareness

≈ 44% of organizations do not include business partners (suppliers, providers, etc.)

The top 3 lessons learned from organizations that invoked a Business Continuity Plan:
1.
There had not been enough training and awareness.
2.
Plans didn’t adequately address internal communication and collaboration.
3.
Key staff had not been included in testing and didn’t know roles/responsibilities.
Recommendations:
1.
2.
3.
Update the BIA to include new threats, processes, systems, partners etc.
Test various components in your plan and update based on lessons learned.
Meet with stakeholders such as banks, trading partners and vendors to discuss critical components
of the plan that require their participation.
1) Source: Disaster Recovery Journal, Winter 2012
“The State of Business Continuity Preparedness”
22
Parting Thoughts: A Day in the Life of Treasury…
Execution (80% of time)






Compile cash position
– Retrieve data from bank(s)
– Reconcile prior day estimates with actual results
Make liquidity management decisions
Initiate, approve, release wires
Update current day position with new information
Generate management reports
Research payments and cash flow issues
Analytical (15% of time)



Create cash forecast model
Review exposures
Hedge positions
Strategic (5% of time)

Enterprise Risk Management; Working Capital Management; Advisor to
Business Units; Liaison with Board of Directors
Source: Treasury Strategies, Inc.
23
Questions?
24
Supplemental Readiness Questions
Asking the right questions will enable you to develop contingency plans and
actions designed to minimize operational and financial disruptions.
25
Financial Planning: Contingencies
Collections
 Lockbox:
– Can you receive data for posting?
– External Changes…. USPS
– Exception management: Post cash and correct issues later?
 Electronic Payments
– Do you have event notification?
– Information reporting: Intraday?
– Related data: FED reference number; Expanded remittance, CTX,
CCD+
 Physical payments
– Security of collected cash?
– Alternatives for check deposit?
– Card Acceptance?
26
Financial Planning: Contingencies
Disbursements
 Demand Accounts (Checking):
– Authorized signers/resolutions: Limits, number of signers, physical
location: Do you have paper and electronic copies?
– Check stock: Accessible? Secure?
– Check Positive Pay implications: Pay or no pay?

Wire:
– Voice wires: Do you have PIN process established?
– Branch origination: Hours of operation; dollar limits; PINs
– Deadline of FED wire system
– Tokens/Call Back Numbers?

ACH:
– Can you create/confirm a payment/file (system availability)
– Windows of operation: ACH network and your bank
– Dual approval: Access and availability
– ACH Positive Pay implications
27
Financial Planning: Contingencies
Information Reporting
– Visibility of activity (and of Cash!)
– Accessibility to company systems, web and bank systems?
Liquidity
–
Daylight OD limits: For your company? For your bank?
–
Availability of cash when receipts are interrupted?
–
Overdraft (overnight) vs. extension of credit
Card Programs
–
Alternative MCC/Spend Limit Profiles?
–
Emergency Cards?
–
Prepaid cards?
–
Travel Related Considerations?
–
Cardholder Communications?
28