AFP President and CEO Jim Kaitz led an expert panel on the risks facing treasury and finance professionals last week at Kyriba Live in Las Vegas. Topics of conversation ranged from cyberrisk to the coronavirus.
Overall, the consensus was that the current risk landscape is everchanging, and treasury needs to adapt accordingly.
Kaitz began by reflecting on a recent interview that he did with Leo Tilman and General Charles Jacoby, authors of the book, “Agility,” as well as a new guidance on risk by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The authors and COSO agree that agile organizations need to embed risk into the strategic decision-making process. “Risk needs to be thought of differently than it has traditionally,” Kaitz said.
Due to the changing landscape, as well as certain sectors that organizations operate in, some treasury departments have had to make risk their primary focus. Non-governmental organizations (NGOs) like World Vision International (WVI) tend to operate in high risk areas. As such, “probably 95% of [treasury’s] time” at WVI is spent addressing or anticipating risk, said Kathryn Powers, global treasurer.
Michael Murray, director of treasury initiatives for Coca Cola, noted that historically at his company, treasury has primarily concerned itself with financial risk, while business risk has mostly been handled by the other business units. However, that appears to be changing. “I think over time there, in the last couple of years, we're all starting to mesh together because they're all overlapping,” he said. “One drives the other.”
Kaitz cited the 2020 AFP Risk Survey, in which 53% of financial professionals identified cyberrisk as the toughest risk to mitigate. “[Cyberrisk] is probably the biggest issue right now that an organization has to manage from a risk perspective,” he said. “But how does treasury think about risk? How does your organization look at risk? Is it holistically or is it by business unit?”
Sukhvinder Singh, senior vice president of information and technology and a department head at Host Hotels and Resorts, stressed the importance of interconnectedness across the organization when it comes to addressing cyberrisk. Treasury—and all departments for that matter—need to assume some responsibility for cybersecurity; it cannot simply be left to IT. “Cybersecurity should not be on an island,” he said. “It should be part of the integrated risk management profile for an organization.”
Singh added that cyberrisk is constant; companies shouldn’t assume that just because they’ve implemented a patch that they’re risk-free. Organizations need to build resiliency into the platforms that are used across the business to make sure that they always have a “plan B” in place.
Jennifer Botha, director of treasury for video game developer Activision Blizzard, noted that her organization also partners with other business units to address cybersecurity. However, she added that treasury departments’ efforts need to go further than that. “I think the one thing that folks forget is that it's not only your risk management that you need to be concerned about; you need to be concerned about the risk management of your partners and your vendors as well, from a cybersecurity perspective,” she said. “Because that can impact you, especially when talking about phishing, social engineering and things of that nature.”
Activision Blizzard has a rigorous vendor onboarding program that it uses to ensure that its partners are adhering to modern cybersecurity protocols. “They have to go through a number of questions,” she said. “And if that questionnaire comes back and it's not suitable or some questions weren’t answered, then there'll be calls and interviews. There’ll be a deep dive to understand what their security profiles are, and what they will do if they have a breach.”
Murray stressed the importance of constant training and communication around cybersecurity. “We get emails all the time that look like they’re from one of the higher-up executives and they say, ‘Hey, I need you to wire money,’” he said. “So, our treasurer will say, ‘I will never email you and ask you to wire something. If you ever see it, that's not me.’ You just have to keep the communication and the training going, because it's up to the employees. They’re the ones who could click that link and you've got to train them.”
ADDRESSING THE CORONAVIRUS
Turning to the coronavirus outbreak, Kaitz noted that all organizations, even AFP, are having meetings right now over how they are going to prepare for it, both internally and externally. “How are you initially thinking about the impact that it’s going to have on the business and your employees?” he asked the group.
Activision Blizzard, like many companies, has a policy of letting employees work from home as needed. However, Botha pointed out that organizations need to make sure they are able to continue operating with multiple (and potentially all) employees working remotely. “If you're in a situation where you do need to have folks work for home, you've got to make sure that your systems have the capacity for that and have plans in place,” she said. “Maybe not everybody needs to get online in a situation. Maybe you need to consider what the critical teams are that need access and really have a plan around that.”
Murray agreed, adding that several years ago, an ice storm in Atlanta caused all of Coca Cola’s employees to stay home to work. “Lo and behold, the VPN cannot handle everybody logging in at the same time,” he said. “So we had to log in from Japan and Brussels and use different VPNs throughout the world.”
Perhaps with the most unique perspective on the coronavirus outbreak is Powers, whose organization has people on the ground in China, much like it did during the Ebola crisis in Africa. So while WVI obviously doesn’t want to endanger its employees, it also has a mission to help those affected. “So we do operate in China and we make sure people are safe,” she said. “But the other thing is, what are we doing to help the people on the ground?”
The 2020 AFP Risk Survey found that most organizations have a formal process in place to assess and report risk. However, more than half of the respondents acknowledged that forecasting risk is becoming more difficult. Therefore, treasury needs to continue to address risk head on, working to anticipate it in places where it’s least expected.
“This is an opportunity for treasury really to play a strategic role in their organization,” Kaitz said in conclusion.
For further insights, download the 2020 AFP Risk Survey, underwritten by Marsh & McLennan Advantage.