Top 5 Challenges Faced By Global Corporate Treasurers In Managing FX Risk


top-5-challenges-faced-by-global-corporate-treasurers-in-managing-fx-risk

Source: Deloitte 2015

Advertisements

Fintech can offer benefits to Treasury Departments of Private Firms


According to data from the Association of Corporate Treasurers and Kyriba, fintechs have an opportunity to provide small and medium-sized firms with treasury management solutions.

Fintech can offer benefits to Treasury Departments of Private Firms

Globally there is approximately one third of treasury departments at private firms that are still using spreadsheets to manage treasury processes, analysis, and reporting functions. This is quite a staggering number considering the risks involved in using such legacy technology. 36% of all firms’ surveyed (332 in total) primarily use spreadsheets, which increases to 43% once firms with turnover of $10 billion and over are discounted. Having worked in this industry for some time now, I can say from experience this is realistic and quite frightening indeed!

Here are some more insights into the data from this survey:

Smaller firms are most likely to use spreadsheets. 

  • 55% of firms with $0-$100 million turnover primarily use spreadsheets.
  • 30% use Treasury Management Systems (TMS).
  • 5% use the treasury module of an Enterprise Resource Planning (ERP) solution.

A significant proportion of mid-size firms use spreadsheets. 

  • 46% of firms with a turnover of $500 million-$1 billion use spreadsheets.
  • 31% use Treasury Management Systems (TMS).
  • 10% use the treasury module of an Enterprise Resource Planning (ERP) solution.
  • The percentage of mid-size and smaller firms which use TMS is surprisingly (and worryingly) similar.

The largest firms are least likely to use spreadsheets.

  • Only 9% of firms with over $10 billion in turnover use spreadsheets.
  • 59% use Treasury Management Systems (TMS).
  • Only 9% use the treasury module of an Enterprise Resource Planning (ERP) solution.

Some Advantages and Disadvantages:

  • Using spreadsheets involves manual processing which is inefficient and expensive.
  • Using spreadsheets also increases the risk of human error and fraud.
  • The barrier to adoption of treasury management solutions among small and medium-sized firms has historically been cost as these solutions tend to require expensive infrastructure and supplementary services.
  • Now with the disruption offered by Fintechs, we are beginning to see a switch. Fintechs can now offer small to medium sized firms a treasury management solution that is cloud-based, which implies they don’t require new infrastructure for data storage and processing.
  • Additionally, the cost of developing these solutions has decreased which makes it economical to design products meant for use by small and medium-sized businesses. Hence, we have more and more Fintechs penetrating this lucrative and legacy based market.
  • However, as with many other solutions and technologies offered by such Fintech firms in whatever space, concerns around security, data management and privacy are still very much prevalent. This is probably one of the main factors for the slow adoption by smaller to medium sized firms globally.
  • Also, as most smaller to medium sized firms (plus large enterprises to a certain extent) use legacy based systems that are integrated within their business processes, it will require a lot more time, effort and additional cost to adopt a TMS. This could also be a major deterrent.

What do you need to consider when establishing Corporate Governance for I.T. ?


CRYPTOKNOWLEDGE

A key strategic consideration for most senior IT executives in 2014 and over the next few years will be Corporate Governance for IT, or ‘IT Governance’.

As with my organisation, many firms procure key IT services from external providers, suppliers and vendors. This implies the need for a governance framework to control the delivery of IT services is becoming more and more crucial than ever before.

Here are a number of points to consider for establishing IT Governance in your organisation:

  1. Get your management ‘buy-in’ and ensure you have access to funding – This must to be one of the first steps in any improvement initiative.
  2. Launch a project or programme.
  3. Establish your ‘as is’ or current environment.
  4. Identify what you presently have in place.
  5. Define the ‘to be’ or future vision of what you want to attain and why.
  6. Identify and classify the gaps between…

View original post 45 more words

Top 10 Threats to Business Continuity (in 2014)


This year’s top ten threats to business continuity are:

  1. Unplanned IT and telecom outages;
  2. Cyber-attack;
  3. Data breach;
  4. Adverse weather;
  5. Interruption to utility supply;
  6. Fire;
  7. Security incident;
  8. Health and safety incident;
  9. Act of terrorism;
  10. New laws or regulations.

Source: Business Continuity Institute (BCI)

What do you need to consider when establishing Corporate Governance for I.T. ?


A key strategic consideration for most senior IT executives in 2014 and over the next few years will be Corporate Governance for IT, or ‘IT Governance’.

As with my organisation, many firms procure key IT services from external providers, suppliers and vendors. This implies the need for a governance framework to control the delivery of IT services is becoming more and more crucial than ever before.

Here are a number of points to consider for establishing IT Governance in your organisation:

  1. Get your management ‘buy-in’ and ensure you have access to funding – This must to be one of the first steps in any improvement initiative.
  2. Launch a project or programme.
  3. Establish your ‘as is’ or current environment.
  4. Identify what you presently have in place.
  5. Define the ‘to be’ or future vision of what you want to attain and why.
  6. Identify and classify the gaps between your ‘as is’ and ‘to be’.
  7. Produce an IT Governance framework
  8. Develop a roadmap to get you from your ‘as is’ to your ‘to be’ scenario.
  9. Formally engage the stakeholders.
  10. Plan, manage and make the required improvements.
  11. Carry out reviews and provide the necessary reporting.

What is GRC?


“GRC is an abbreviation for Governance, Risk and Compliance.”

G represents Governance

Basically this means running your business as usual (BAU) and ensuring that things are done according to the standards, rules and regulations in the environment in which your business operates. It also means defining your expectations of what should be done in a clear and concise manner, so that everybody (employees, shareholders, public, partners, etc) knows how your company is run.

R represents Risk

In pretty much all that we do there is an element of risk. This is no different in running a business too. Risk becomes a method to help you both in protecting value i.e. what you have, and creating value, i.e. strategically growing your business or developing new products and services to existing ones.

C represents Compliance

Nowadays all companies need to abide by many laws and directives affecting businesses (as well as citizens). For compliance to add value and be effective, certain controls and limits should be in put into place to ensure that the compliance is transpiring. This might mean monitoring your company’s transactions or ensuring that your IT systems and services are in order. It might even simply mean that the same employee is not creating suppliers and deceitfully making payments out to their friend or family member. The C relates to laws such as Sarbanes-Oxley (SOX).

In actual fact, GRC is meant to aid growth in your business in the best possible way, and should thus be given high prominence in your strategic and operational goals.

Managing IT Risk – Part 3


Introduction

In a competitive business environment, every organisation operates in a climate of risk. It is never possible to remove all risk from a business, but it is important to assess and reduce risk to an acceptable level where possible.

In relation to IT, assessing and minimising risk has become increasingly important, particularly for businesses that rely heavily on technology. Therefore, it’s vital that business owners understand, monitor and control risk – especially as the IT environment changes rapidly and new IT-related risks appear regularly.

Part 1 of this article provides you with some examples of IT-related risks facing your business. Part 2 shows you how to identify and assess the IT-related risks risks facing your business. And this article will provide you with some ideas on how to reduce these risks and their potential impact to your business.

 

Risk mitigation – risk reduction

If your assessment shows that you have unacceptably high levels of risks to your business, then you need to take some action to counter them.

You could:

  • reduce the probability of the risk affecting your business
  • limit the impact of the risk if it does occur

In practice you will often wish to do both. However, generally you should try to reduce the probability of the risk affecting your business in the first place.

One way of doing this is risk avoidance, ie avoiding doing the things that could lead to a problem occurring, such as not entering into a line of business, a particular deal or a new IT project, because it carries a risk.

However, this might mean that you end up not doing anything new, and hence not being able to benefit fully from business opportunities.

You could instead take a more positive approach by changing the way in which you carry out an activity. This is quite appropriate to IT-related risk, and usually involves adopting a best practice approach to acquiring or operating IT systems.

 

Risk mitigation – impact reduction

There are inevitably some risks to your business that you can neither eliminate nor reduce to an acceptable level.

For these, you can only mitigate those risks by assessing what might happen as a result of the problem and reducing their impact should they occur.

In many situations, the greatest damage can occur because no one fully understands the nature of the problem and end up making it worse.

This can be avoided by common-sense procedures, which should be part of your risk mitigation approach:

  • Do not take any actions that could exacerbate the problem. For example, if there is a problem with accessing files from a back-up tape using a tape drive, you should investigate whether the problem is caused by the drive, rather than just assuming there is a problem with the tape and then potentially damaging other tapes by placing them in a faulty drive.
  • Implement document procedures for dealing with likely threats, and train your staff in their use. For example, there are many ways that a virus can get into your system, so you should have plans for quarantining affected parts of the system so that the problem doesn’t spread.

An important part of impact reduction is the early detection of problems. Where you have a risk that you can’t eliminate, you should ensure that you have a fail-safe method of detecting the problem if it occurs.

Often failures are very obvious. However, occasionally, particularly in continuous or recurring processes, a failure may occur silently, and its impact will grow over time. If you identify this type of risk you should build in a periodic check to detect the problem as soon as possible.

Don’t forget that to reduce the cost impact of a problem should it occur, you could take out insurance. This is a form of risk transfer and is a normal part of doing business.

 

Contingency Plans

A contingency plan is an impact-reduction measure. It should describe in detail what you and your staff will do if a particular problem occurs.

You may need a contingency plan when:

  • you identify a risk that you think has a high chance of happening and will have a high impact
  • you try to find ways of reducing the likelihood of the event, but you cannot reduce the risk to an acceptable level
  • the residual risk is still so large that you need to take a structured approach to reduce its likely impact

The main considerations that you should address in a contingency plan are:

  • scope – what particular risk the contingency plan is designed for
  • initiation – how you will know when to put the plan into action
  • actions – what sequence of actions you will take in order to control the problem and minimise its impact
  • roles and responsibilities – who will do what and when

Good contingency plans are usually based on the shared experience of managers working together.

An important form of contingency plan is a business continuity plan (BCP). This is typically created to cover the most serious of problems, such as the complete loss of all your servers and network infrastructure due to a fire or natural disaster.

Such plans may involve planning for the rapid acquisition of temporary buildings, reciprocal arrangements with other organisations, special staffing arrangements, etc.

BCPs should be tested if possible. A test could be a simple paper exercise where different parts of the recovery procedure are run through by the people involved. This is adequate for simple plans.

A full test of a BCP requires a full exercise. This will usually involve many people and significant cost because it will disrupt normal activities. Therefore, any exercise of this type should be carefully planned and budgeted.

 

Author: Mawdud Choudhury, Chief Information Officer (CIO) at Universal System Technologies (UST), Brunei Darussalam.

Managing IT Risk – Part 2


Introduction

In a competitive business environment, every organisation operates in a climate of risk. It is never possible to remove all risk from a business, but it is important to assess and reduce risk to an acceptable level where possible.

In relation to IT, assessing and minimising risk has become increasingly important, particularly for businesses that rely heavily on technology. Therefore, it’s vital that business owners understand, monitor and control risk – especially as the IT environment changes rapidly and new IT-related risks appear regularly.

Part 1 of this article provides you with some examples of IT-related risks facing your business. This article will show you how to identify and assess the IT-related risks risks facing your business. And Part 3 of this article will provide you with some ideas on how to reduce these risks and their potential impact to your business.

 

Risk Management

Risk management should be seen as an ongoing process, rather than a one-off procedure that you apply to an individual threat. You should continuously reassess threats and actively search for new ones.

Risk management is a structured way of controlling risk. There are various ways you can do this, but the following steps outline a typical approach:

  • Identify risk – to manage risk you have to be able to identify potential threats. This allows you to act before something happens, rather than ‘fire-fighting’ after an event.
  • Risk assessment – you might not need to invest time and money in reducing risk, but you need to take a measured approach to it. Assess its importance to your business. If the risk is serious enough, then you may need to take further action. Some risks may not warrant further work.
  • Risk mitigation – risk reduction – with many risks you can implement preventative measures that will significantly reduce the probability of the risk occurring.
  • Risk mitigation – impact reduction – for some risks, you may not be able to reduce the probability of them occurring to an acceptable level. Therefore, you should think more about reducing the negative consequences of that risk should it actually affect your business.
  • Contingency planning – often the best you can do is make plans for how you would survive a problem. Contingency plans are what you would do after the worst has happened. A particularly important form of contingency plan is a disaster recovery plan.

 

Identifying Risk

To manage IT risks effectively you have to be able to identify potential threats. In the fast-moving world of IT, this can be difficult. However, there are some effective preventative measures you can take.

A good starting point for identifying risk is the Information Security Breaches Survey, produced by PricewaterhouseCoopers LLP and commissioned by Infosecurity Europe. This is published every two years and contains an excellent analysis of the risks that could affect both large and small businesses.

Information Security Breaches Survey 2010 – Opens in a new window.

There are other good resources online, which are updated more frequently. You can find information on the latest vulnerabilities, incidents and fixes on the CERT website – Opens in a new window.

Another technique that can help you to identify threats is a what-if analysis. This works better in a small group using a brainstorming approach.

Start with simple questions and scenarios to see if they can help to identify new risks. For example, ask questions such as ‘what if the telephone line to the building got cut with a digger?’, or ‘what if the same happened to our power?’, and see what plans you need or already have in place to cope with these eventualities.

Another important step in identifying risks is to write them down in a risk register as you assess them, so you have a permanent record. You can record in the register what you do about each risk as well as the probability of the risk occurring and use it as a checklist when you review your risks periodically.

 

Risk assessment

Care should be taken when assessing the risks your business may face. You do not want to spend time and money avoiding or reducing those risks that pose little or no threat to your business.

Once you have identified the risks that do pose a threat to your business, it may be helpful to base your risk assessment on the following factors:

  • the probability or likelihood of each risk materialising
  • the cost or impact of the problem if it did happen

A quantitative assessment of your risks would be the numerical product of these two factors. For example, if a risk has a high probability and a high cost/impact, then it will get a high risk assessment.

Unfortunately, quantitative measures of risk like this are only meaningful when you have good data. You may not have the necessary historical data to work out probability, and cost estimates on IT-related risks change so quickly that accurate financial data is rarely available.

Therefore, a more practical approach is to use a qualitative assessment. In this case, you use your judgement to decide whether the probability of occurrence is high, medium or low. You do this similarly for cost/impact. You might then take action on risks that are high probability/medium cost, medium/high or high/high, and leave the rest.

Define what you would consider to be low, medium and high cost to your business in whatever terms seem useful, for example:

  • low – would lose up to half an hour of production
  • medium – would cause complete shutdown for at least three days
  • high – would cause irrevocable loss to the business

Use the same principles for probability. For example, you might classify as ‘high probability’ something that you expect to happen several times a year. You might classify as ‘low probability’ something that you expect to happen very infrequently.

 

CONTINUE TO PART 3

 

Author: Mawdud Choudhury, Chief Information Officer (CIO) at Universal System Technologies (UST), Brunei Darussalam.

Managing IT Risk – Part 1


Introduction

In a competitive business environment, every organisation operates in a climate of risk. It is never possible to remove all risk from a business, but it is important to assess and reduce risk to an acceptable level where possible.

In relation to IT, assessing and minimising risk has become increasingly important, particularly for businesses that rely heavily on technology. Therefore, it’s vital that business owners understand, monitor and control risk – especially as the IT environment changes rapidly and new IT-related risks appear regularly.

This article will provide you with some example of IT-related risks facing your business. Part 2 of this article will show you how to identify and assess the IT-related risks risks facing your business. And Part 3 of this article will provide you with some ideas on how to reduce these risks and their potential impact to your business.

 

Examples of IT-related risks

Business managers are used to recognising commercial threats and taking appropriate actions – for example, dealing with a new customer who turns out to be a late payer.

However, IT-related threats in business are much newer, a lot less predictable and change much faster.

A useful way of recognising threats is to classify them as follows:

  1. Physical threats are those that result from physical access or damage to information resources such as servers, network equipment, computer rooms, data centres etc. In some business environments it is easy to overlook these types of threats. However, if an unauthorised person – employee or not – can enter your computer room unobserved, then all your other IT security measures are essentially compromised.
  2. Electronic threats are those that aim to compromise your business information and typically come from outside your premises/network, eg a hacker accessing your network via your website. Other malicious threats can range from phishing and spoofing emails and websites to links in social networking websites that take you to websites that can steal your personal and financial details. Hackers can gain remote control of your computers through infections by viruses, worms or Trojans, turning them into ‘bots’. These groups of infected machines – botnets – are capable of a wide variety of activities, including denial-of-service (DoS) attacks, click fraud and identity theft.
  3. Technical failure is a common threat for IT systems. For example, if key data is stored only on the hard disk of one server, then the failure of that hard disk would be disastrous to the business.
  4. Infrastructure failure can be a subtle form of threat. For example, if your business relies on your internet connection to receive orders from customers, you could miss out on new purchase orders if that connection fails.
  5. Human error is a major threat. If an honest mistake by a user or system manager could cause an irrevocable loss of data, you need to take action to prevent it from happening, eg by regularly backing up data.

 

CONTINUE TO PART 2

 

Author: Mawdud Choudhury, Chief Information Officer (CIO) at Universal System Technologies (UST), Brunei Darussalam.

How to make IT a success?


We all want to run successful IT departments but how do we do it? Here are my thoughts on the subject.

Below are ten steps which I have used in the past and in my current organisation. They have been a success for me and may well benefit you and your teams going forward.

 

Of course, ten is an arbitrary number and there is likely to be more or less steps in order to reach your goal – it really depends on where you are starting from, your type of business, the size of your organisation and how you define success.

I have put them in order of importance, starting with the most important, but this is not set in stone. Some will be parallel steps and some dependent on where you are in the maturity model and the size and type of business.

1. Understand and Control your Costs
You can’t achieve anything unless you understand your cost base so this has to be my number one. Once you have analysed the costs and dealt with any discrepancies, it is important to keep them under control. A control system for authorising purchases and controlling invoices may be needed.

Also maintain reliable information on projected vs actual costs and the benefits of any IT investments. Any linking of technology investments to business performance measurements is a bonus.

2. Customer Focus
Some people may say this should be number one but I feel you cannot provide the best service to your customer if you don’t have your finances in place. Don’t just consider your own company requirements but those that reflect the needs of your customer, otherwise you can become internally focused and your vision restricted by the walls of the company.

It can be challenging to see how improving IT might make your company’s customers more successful. This may require a fundamental shift to become a more integral part of the company’s operations in order to create real value for the end customer.

3. Strategic Planning
You need to create a plan for your department or organisation so you have direction. Strategic business and IT systems plans must be grounded in explicit high priority customer needs and must be aligned. Planning, budgeting and execution should be conducted in a seamless fashion with outputs of one process a direct input into another.

Most importantly, make sure the strategic goals, objectives and direction are used to manage and evaluate the performance of the organisation.

4. Business Buy-In
You need to obtain and maintain business buy-in and ongoing support. The business should have been working with you on the previous steps so there are no surprises. Make sure you get board/top management approval, communicate directional changes/issues and keep the board/top management informed.

5. Develop Partners and Suppliers
A good supplier strategy can deliver a win-win for both parties. Suppliers can be an asset and a major weapon in your armoury.

Treat them with respect. Choose partners that can deliver best in class products and services. Share the vision with them. Make sure they understand the challenges in your industry. Individuals within the suppliers are the real key to your success, so look to build relationships with those people.

6. Manage IT
Focus on metrics that really drive the performance of the business. Apply best practice where possible. Manage resources and direct scarce resources to high value/high visibility projects. Support major cost reduction and service improvement efforts. Measure performance of key mission delivery processes and communicate them.

Also it is often worth carrying out some benchmarks within your industry to see how you are comparing against your competitors.

7. Be Project-Driven
Create a project portfolio and manage all IT projects as a programme. Manage individual projects as investments, ensuring a sound business case as well as that benefits are identified and agreed and stakeholders are fully involved. Don’t be afraid to cut your losses and if necessary have an exit strategy if a project is not going to work out.

Don’t forget to manage risk and when looking at implementation. Use change control techniques so there are no surprises for the recipients. Be benefits-driven and make sure they are realised. Consider managing large projects using EVM (earned value method). Ambitious and complex projects should be broken down into smaller deliverables.

8. Team Ethos
A motivated, knowledgeable team is a great step to success. Operate as one team and include any key suppliers in that. Look at ways to motivate and reward the team but most of all build trust and don’t be afraid to delegate. You can always put some soft controls in to ensure things are kept within boundaries.

Communicate so everybody knows what is happening and what is expected of them.

9. Train the Team
Ensure you have the right level of skills available to make things happen. Develop a skills matrix based on your functional needs and match your team’s individual skill levels to the matrix. Use this to highlight deficiencies and determine your training program.

Consider sending people on relevant conferences and industry group meetings so they are aware of the wider world. Developing your people will pay off in the long run.

10. Advertise your Success
Let other people in the company and industry know what you are doing. Create a communication plan. Make sure communication is regular and use every opportunity to talk about your achievements in terms of business benefit.

Author: Mawdud Choudhury, Chief Information Officer (CIO) at Universal System Technologies (UST), Brunei Darussalam.