The high risk environment in which treasuries operate can be linked to three reasons. First of all treasuries are normally operating in a different market than that of the rest of the organisation, namely the financial markets. Secondly, risks are very visible in treasury departments due to the large amount of funds involved: losses on foreign currency exposures or from poor funding decisions are very high profile and quantifiable. Finally, treasury functions are usually in control of bank accounts, and bank accounts are the window through which funds leave the company after a fraudulent event.
Therefore managing and mitigating the risks in a treasury environment draws special attention from the board and other stakeholders. However, the existing control procedures already in place in the organisation might not be fully appropriate to the treasury environment.
A policy that is not fully applicable to the environment could in itself be seen as a risk as adherence to that policy tends to slip over time. It is therefore crucial that an appropriate Internal Controls Framework is established, supported by robust and tested processes and a system to enforce the framework.
The first step towards the management and mitigation of risks in a treasury environment is an Internal Controls Framework approved by the organisation's board and management. A typical Internal Control Framework consists of at least the following 8 key internal controls:
The treasury department is often seen as the last barrier against fraudulent transactions as it is treasury who usually controls access to bank accounts. Therefore, control on the access to funds as well as to transfer initiation and authorisation is critical.
A key method to limit payment risk is the implementation of electronic banking. Transfer letters and faxed instructions can be falsified with limited efforts, whereas access to an electronic banking system or the falsification of cheques takes significantly more effort and financial resources. Therefore transfer letters and faxed instructions should be limited to business continuity situations whenever necessary.
Management takes key decisions based on the information provided. If the provided information is inaccurate, then this can have a significant detrimental effect. This is more so the case in a treasury department where the amounts are usually much higher.
One of the major publicised scandals are when treasury staff enter into transactions that fall outside their assigned dealing limit. Adequate detection procedures need to be established to prevent unauthorised trades from taking place. These procedures should include timely bank account reconciliation (preferably daily), segregation of duties and the 4-eyes principle approach where each entry into the system needs to be reviews by, at least, one other person.
Segregation of duties is established to prevent fraud and to detect errors. In a best practice treasury environment the segregation of duties should be split for each transaction into Dealing, Recording, Confirmation, and Settlement. However, in smaller treasury teams this is not always possible due to the limited number of treasury staff. In these instances the Control Framework should take note and accept this risk as an inherent risk.
Restricting the number of counterparties is important for various reasons. First of all due to counterparty risk, each counterparty will have to comply with the set parameters as per the counterparty risk policy document. Secondly, the use of a different counterparty could actually be a breach of a covenant in loan documentation. It is therefore vital that all counterparties are approved and that adequate procedures are in place to prevent staff from using unauthorised counterparties.
Policies can be approved by the Board, however the framework also need to ensure that approved procedures are implemented and cascaded down into the treasury department and business operations. It is unfortunately common in some organisations for policies to be approved by the Board and subsequently ignored by the operations.
The numbers and amounts involved in a treasury environment are usually quite large and a small error could have significant consequences. Therefore, processes and procedures need to be in order to identify errors and ensure that incorrect data is deleted from the system.
Treasury deserves special attention from the Audit function and both internal and external audit exercises need to take place on a regular basis.
An Internal Controls Framework will need to be properly implemented before it can be effective. The two main and most critical ways to implement the controls framework is by looking at the company's treasury processes and have the internal controls enforced by a Treasury Management System.
A thorough review of the organisation's processes is a key support action to enhance the internal controls framework. These should not only be restricted to the Treasury Processes but be expanded to the Order-to-Cash and Purchase-to-Pay workflows and processes.
Reviewing the Purchase-to-Pay processes is a critical step to mitigate risks in the payments area. If the correct (system-based) controls are in place for the approval of a Purchase Order and the underlying payment terms, then the resulting financial settlement in the form of a payment should no longer be considered as the main focus of the risk.
The same applies for the Order-to-Cash processes, especially if the organisation is handling a significant number of letters of credit and guarantees. Redesigned processes can reduce risks, while improving control,
Technology plays an important role in managing and mitigating treasury operational risk. The benefits of a dedicated treasury management system are three-fold: First, each type of risk requires a different mitigation technique, but whatever the risk, gaining visibility and control over the company's exposures is a crucial first step. A Treasury Management System could provide a centralised group-wide view of all outstanding positions, due dates, and risks. Providing management with the right information at the right time in order to make the appropriate decisions.
Secondly, many corporate treasuries continue to rely on spreadsheets, even though that most users agree that using spreadsheets brings a significant risk of errors occurring in the company's financial data. While spreadsheets offer a cheap and flexible way of managing information, they are also notoriously error prone. From broken formulae to inaccurate input of data, the use of this type of technology in treasury can, and does, lead to errors. A Treasury Management System reduces the risks of errors and incorrect data.
And finally, and as mentioned before, a treasury management system is a very powerful and important tool in the enforcement of the agreed risk mitigation processes. It can also enforce the 4-eyes principle approach as mentioned before. The dedicated Treasury Management System should be configured in such a way to support the agreed Treasury, Order-to-Cash and Purchase-to-Pay processes as discussed above.
The treasury function in an organisation is one of the areas most exposed to risk. The adoption and implementation of a Board-approved Internal Controls Framework is the initial crucial important step to mitigate the risks involved. However it is crucial that the Internal Control Framework is supported by robust and tested processes and a dedicated Treasury Management System.
Disclaimer: This article is not intended to constitute any advice or an offer. Any forecasts or projections are indicative only. HSBC or any of its affiliates accepts no liability, whether express or implied, arising out of or incidental to contents forming part of the article.