A Treasury Management Perspective on Business Resiliency

Craig S (“Sandy”) SaxerSenior Vice PresidentPNC Treasury Consulting Group

Prepared for

“Building Treasury’s Business Resiliency Strategy”

May 29, 2013

NY Cash Exchange 2013

The Importance of Business Continuity Management

2

“By failing to prepare you are preparing to fail.”– Ben Franklin

"The only thing harder than planning for an emergency is explaining why you didn't.” -Unknown

“While no plan can guarantee success, inadequate plans are proven contributors to failure.”-US Department of Homeland Security, Nationwide Plan Review Phase 2 Report June 16, 2006

“Business continuity is not a project with a beginning and ending date, it is a program to be managed indefinitely.”-Business Continuity Management

The treasurers we identified as most effective, for example, regularly test the business continuity plans that keep treasury operations running through unforeseeable catastrophic events, -McKinsey & Company ( “Five steps to a more effective global treasury”, McKinsey on Finance # 42, Winter 2012 )

Natural disaster, IT outage or industrial action are the disruptions that make headline news. But disruption also includes staff illness or local events that affect your supply chain. –TalkingBusinessContinuity.com

Trends for the Treasury Department’s role

3

Source: CFO Magazine/2006 AFP Strategic Role Survey

Companies are calling on treasury departments to do more related to managing risk..

Source: 2012 AFP Treasury Benchmarking Survey

Trends for the Treasury Department’s role

4Source: 2012 AFP Treasury Benchmarking Survey

Trends for the Treasury Department’s role

5Source: 2012 AFP Treasury Benchmarking Survey

What is Business Continuity Planning?

6

People Labor Strike Infectious Outbreak Extreme Weather Transportation Outage

Facilities Fire Workplace Violence Natural Disasters Hazardous Materials

Technology Power Outage IT/Network Failure Telecom Failure Sabotage

Supply Chain Suppliers Customers Payment Channels

It is a process to ensure the maintenance of critical operations when confronted with adverse events related to:

It consists of 4 Components:

Business Impact Analysis (BIA)

7

Prioritizing the recovery of a business and its services through the identification and assessment of potential impacts. Simply put, it is defining what and when the Company’s business should be recovered based on the potential risks and costs of a business disruption.

Business Impact Analysis

8

Business Impact Analysis (BIA) identifies the effects and impacts of interruption on the viability and vitality of operations and critical business functions, especially financial activities, including maintaining collections, processing payments, operating a supply chain, handling payroll. BIA

Identifies your requirements for continuing your key functions

PEOPLE

o Key Staffo Key Skillso Expertise / competence requiredo Minimum staffing levels required to continue / recover

key functions

PREMISES

o Key facilitieso Key Equipment o Key Resourceso Specialist Equipmento Security / restrictionso Alternative siteso Alternative facilities

PROCESSES

o Key processeso Critical periodso Key IT systems / applicationso Key documentation / data o Record keeping requirementso Key communication requirements

PROVIDERS

o Key dependencies (supply and receipt)o Key supplierso Key contractors / service providers / supplierso Reciprocal arrangements in place with other

organisations

Risk Assessment

9

Identifying and assessing the likelihood and impact of potential threats to Your Company. Threats include various scenarios that could lead to the loss of technology, human capital, facilities or the Company’s suppliers.

Risk Assessment

10

Source: Federal Emergency Management Agency (FEMA) http://www.ready.gov/risk-assessment

Top Threats to Business Continuity in 2013

50%

53%

65%

66%

70%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Interruption to Utilities

Adverse Weather

Cyber Attack

Data Breach

Unplanned IT/Telecom Outage

Level of Corporate Concern

11

Source: The Business Continuity Institute: Horizon Scan 2013 Survey Report

Top Emerging Threats to Business Continuity

12

Source: The Business Continuity Institute: Horizon Scan 2013 Survey Report

Which of the following trends or uncertainties are on your radar forevaluation in terms of their business continuity implications?

Distributed Denial of Service (DDoS) Attacks

13

DDoS is an attack on a computer/server or its resources and thereby making it unavailable to intended users.1

Massive volumes of data– Up to 70 Gigabytes/second 2

Equivalent to 1.9 DVDs per second, or 1,750 iTunes songs per second

Prime Target: Banks 3

– 64% of banks have been attacked– 48% of banks have had multiple attacks– 78% expect continued or increased

activity in 2013

Other Major Targets: 4

– eCommerce sites– Software-as-a-Service (SaaS)

OrganizationsSources: 1) Wikipedia2) www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-u

s-officials-say.html3) AFP Fraudwatch: 1-28-20134) Prolexic Quarterly Global DDoS Attack Report Q4 2012

Resiliency Planning and Mitigation

14

Documenting business and technology response and recovery plans. Recovery plans are developed to be flexible to respond to a multitude of different threats. In some instances as gaps in plans are identified, mitigation strategies are developed and implemented to improve the ability to recover.

Using the BAI to Build a Plan

15

BIA Identifies your requirements for continuing your key functions

Business Continuity PlanDocuments how your requirements identified in the BIA can be achieved

PEOPLE

o Key Staffo Key Skillso Expertise / competence requiredo Minimum staffing levels required to continue /

recover key functions

o Notification / invocation procedure / protocolo Management structure for dealing with an incidento Information and advice to staff (response procedures)o Key staff / contact list (including out of hours details)o Multi skill training in key areaso Reciprocal Arrangements to cover staff short fallso Home workingo Staff welfare issues

PREMISES

o Key facilitieso Key Equipment o Key Resourceso Specialist Equipmento Security / restrictionso Alternative siteso Alternative facilities

o Loss / damage assessmento Site securityo Relocation arrangements / protocolo Inventories of equipment/ resources and details of how to

recover theseo Salvage, site clearance and cleaning arrangements

PROCESSES

o Key processeso Critical periodso Key IT systems / applicationso Key documentation / data o Record keeping requirementso Key communication requirements

o Action cards for recovery of key processes o Checklistso Copies / Back-ups / safe storage (recovery procedure)o Contingency procurement arrangementso Documented manual procedureso Data recovery procedures

PROVIDERS

o Key dependencies (supply and receipt)o Key supplierso Key contractors / service providers / supplierso Reciprocal arrangements in place with other

organisations

o Contact details for key providers / contractors / suppliers / support services

o Alternative suppliers (required for key functions)o Alternative providers (required for key functions)o Alternative contractors (required for key functions)o Resilience capability of suppliers / provider / contractors to

business disruption o Third party business continuity arrangements

PROFILEo Key stakeholderso Legal / statutory / regulatory requirementso Vulnerable groups

o Communication strategy / plan / procedureso Stakeholder liaison (regulator, clients, unions)o Media liaisono Public information / adviceo Notification of at risk groups / alternative care arrangements

Source: www.talkingbusinesscontinuity.com

The USPS financial problems have been widely publicized and continue to mount

In response the USPS has embarked on an aggressive two year plan to modify service levels and align capacity with demand

– 46 plants consolidated by August 2012, 94 more in early 2013

– Reduction of the two day service delivery area from ≈ 500 miles to ≈ 250 miles

– Elimination of overnight delivery of 1st class mail in 2014; 89 more plants to close

Remittance Mail to be handled on an expedited basis with prioritized Zip Codes, National Firm Holdout and extended caller services

16

The impact on Lockbox mail in 2012 was limited

U.S. Postal System: Anticipating Change

U.S. Postal System: Anticipating Change

17

https://ribbs.usps.gov/modernservicestandards/ssmaps/find_map.cfm

U.S. Postal System: Anticipating Change

18

U.S. Postal System: Anticipating Change

19

The USPS recently announced it will eliminate door-to-door mail delivery on Saturdays, effective August 5, 2013

–Move will save the USPS $2 billion annually–This may still require Congressional approval

USPS will continue to process mail on Saturdays, it just won’t have its mail carriers delivering it door-to-door

–Large lockbox providers like PNC will not be negatively impacted, as we can continue to retrieve mail from the Post Office as we have traditionally

done–Clients should not eliminate weekend processing

The float/availability gap between those who utilize a lockbox and those who do not will likely widen as the Saturday change and future consolidations occur.

U.S. Postal System: Anticipating Change

20

General observations of changes to date: Wednesday mail declining; Sunday mail moving to Monday Mail arrivals patterns have shifted to later in the day The two day delivery area is shrinking; more mail moving to three day

Expectations related to upcoming changes: Some businesses might benefit from adding additional lockbox locations Companies still receiving mail in-house will be impacted more dramatically than those

using lockbox Clients with early final deposit deadlines may wish to consider adding later deposit

deadlines Encourage electronic payments and evaluate invoicing methods

Risk Monitoring and Testing

21

A critical component to the life cycle of resiliency is to demonstrate or validate the Company’s ability to recover at the time of a crisis or event. Recovery plans should be exercised in a testing scenario. It enables the business to identify potential gaps or risks in the recovery plans before an actual incident occurs, thus reducing the risks of a delayed recovery in a live event.

Monitoring and Testing the Continuity Plan

According to Forrester Research1:

≈ 45% of business unit owners are not involved in plan testing

≈ 57% of business unit owners are not involved in training and awareness

≈ 44% of organizations do not include business partners (suppliers, providers, etc.)

The top 3 lessons learned from organizations that invoked a Business Continuity Plan:

1. There had not been enough training and awareness.

2. Plans didn’t adequately address internal communication and collaboration.

3. Key staff had not been included in testing and didn’t know roles/responsibilities.

22

Recommendations:1. Update the BIA to include new threats, processes, systems, partners etc.

2. Test various components in your plan and update based on lessons learned.

3. Meet with stakeholders such as banks, trading partners and vendors to discuss critical components of the plan that require their participation.

1) Source: Disaster Recovery Journal, Winter 2012 “The State of Business Continuity Preparedness”

Parting Thoughts: A Day in the Life of Treasury…

23

Execution (80% of time) Compile cash position

– Retrieve data from bank(s)– Reconcile prior day estimates with actual results

Make liquidity management decisions Initiate, approve, release wires Update current day position with new information Generate management reports Research payments and cash flow issues

Analytical (15% of time) Create cash forecast model Review exposures Hedge positions

Strategic (5% of time) Enterprise Risk Management; Working Capital Management; Advisor to

Business Units; Liaison with Board of Directors

Source: Treasury Strategies, Inc.

24

Questions?

Supplemental Readiness Questions

25

Asking the right questions will enable you to develop contingency plans and actions designed to minimize operational and financial disruptions.

Financial Planning: Contingencies

Collections

Lockbox:

– Can you receive data for posting?

– External Changes…. USPS

– Exception management: Post cash and correct issues later?

Electronic Payments

– Do you have event notification?

– Information reporting: Intraday?

– Related data: FED reference number; Expanded remittance, CTX, CCD+

Physical payments

– Security of collected cash?

– Alternatives for check deposit?

– Card Acceptance?

26

Financial Planning: Contingencies

Disbursements Demand Accounts (Checking):

– Authorized signers/resolutions: Limits, number of signers, physical location: Do you have paper and electronic copies?

– Check stock: Accessible? Secure?

– Check Positive Pay implications: Pay or no pay?

Wire:– Voice wires: Do you have PIN process established?

– Branch origination: Hours of operation; dollar limits; PINs

– Deadline of FED wire system

– Tokens/Call Back Numbers?

ACH:– Can you create/confirm a payment/file (system availability)

– Windows of operation: ACH network and your bank

– Dual approval: Access and availability

– ACH Positive Pay implications

27

Financial Planning: Contingencies

Information Reporting – Visibility of activity (and of Cash!)

– Accessibility to company systems, web and bank systems?

Liquidity– Daylight OD limits: For your company? For your bank?

– Availability of cash when receipts are interrupted?

– Overdraft (overnight) vs. extension of credit

Card Programs– Alternative MCC/Spend Limit Profiles?

– Emergency Cards?

– Prepaid cards?

– Travel Related Considerations?

– Cardholder Communications?

28