Colleen Taylor, an executive vice president at Capital One in New York, has spent her career revamping treasury organizations, as she retooled training programs for new employees and triggered changes that allowed banks to better anticipate and respond to the next wave of client demands. However, it’s the things that no one can anticipate that have lately attracted Taylor’s attention. MME recently spoke to Taylor at the Association of Finance Professionals’ annual conference in Las Vegas, Nevada.
MME: What have you observed when it comes to lower-middle-market businesses and disaster recovery? Have they begun to take it seriously?
Taylor: Well, I think that there have been enough signals telling businesses in recent years that they need to take it seriously, beginning with Hurricane Katrina. We have a big footprint in the Louisiana/Gulf region. Katrina was so devastating, and there were so many businesses that in fact didn’t have a plan that could be executed. It’s clear that many businesses have just not thought through the many different issues by which they could be confronted in just such circumstances. We have also observed the number of man-made threats escalate, such as terrorism, etc. Super Storm Sandy was certainly a big lesson for our customers in the Northeast, despite these businesses typically having dealt with hurricanes.
MME: What needs to be the new mind-set for businesses?
Taylor: For businesses between $20 million and $500 million, it really begins with “If I can’t do what I normally do every day, how will the business be impacted?” This involves my transactions, my people, my customers, and anyone who calls in to a call center. There are just so many challenges that could emerge. The cell phone networks may not work, or you can’t for some reason access the server. You no longer have numbers written down anywhere. Think about it. Do you memorize phone numbers anymore? Or are they just in your cell phone’s memory. Can you even reach your trading partners?
MME: It seems that many businesses might not realize where their information is …
Taylor: We have automated beyond any awareness. We are so reliant on computers and technology, and this demands that businesses — and this means even banks our size — have to write down a worst-case scenario and test it out. I was recently speaking to a small lending organization in New York City that has about 65 employees. Because they are located right inside Times Square, they have had to deal with terrorism threats and last year Hurricane Sandy. This business is funding 25 to 30 businesses a day, and they found that for more than 10 days they were unable to communicate the instructions or get back in the requests that were coming in from customers. They have really been required to put down a plan on paper that starts with technology and has involved people testing the plan and having people really consider all of what needs to be put in place to serve as a backup. If there were a snowstorm and you couldn’t get into the office, how would you fund payroll? How would you get access to payment receipts? Do you have a backup plan so that you don’t bounce checks?
MME: What should a company, big or small, be prepared to address in a backup plan?
Taylor: What I like to tell businesses is that one day is not enough. Think through a month of activities. Within the CFO’s office, this means payroll twice a month and running your payables. You really need to map out a calendar for 30 days, and you may want to consider a quarter’s end, where a business would be closing its books. Today, a business may have a cash analyst who makes five wires a day, so how would a business make these five wires a day in an environment without PC access? A business may want to test out a situation where the wires could be done from a remote organization or from an employee’s home. Remember, once a company grows to 200 employees, it’s likely that they are no longer in the same region, and these employees expect to be paid despite payroll being in another region.
MME: Can you compare this to planning for a large enterprise like, say, Capital One?
Taylor: At Capital One, we have over 65 people working full-time on disaster recovery. Of course, we are clearly a large organization, with 43,000 employees. All of our senior executives have a white binder playbook where it’s all written down on paper, including phone lists. Paper is wonderful. It’s a great backup. One begins by asking, “If I don’t have electricity, what will happen?” “If cell phones can’t be used, what will happen?”
MME: Are certain industries or types of businesses more vulnerable than others?
Taylor: This is an interesting question. What we’ve observed is that businesses that are more reliant on a face-to-face customer interface may be more vulnerable, since during a big disaster you will not have that face-to-face. Whether this is selling to the customer or trading activities, there’s increased vulnerability. We’ve learned from Katrina and Isaac that many of the businesses that were most vulnerable were reliant on delivery trucks. For instance, one of our customers — a supermarket chain — was disrupted because they couldn’t get food deliveries. There is a supplier-to-customer dynamic, and if you a smaller business, you may not be high in the pecking order and receive orders as quickly as you like.
MME: Meanwhile, cybercrime continues to climb …
Taylor: We’ve seen a pickup in cybercrime activities almost every time that there’s been a weather disaster. Cybercrime is a $100 billion industry today. When we have businesses calling us and asking us to perform certain tasks manually as they implement their disaster recovery plans, we say, “Well, let us call you back.” We authenticate the call, because people could be calling in from anywhere. We are asking customers to think this through with us, because if we don’t have a callback number on file, we may not be able to authenticate it. Many of our large customers will test out their plans with us, and we advise and counsel businesses on these plans, but the plan must ultimately be owned by the business. We recommend that every business be clear as to who within the company has accountability for a disaster recovery plan. And this is not just the disaster recovery plan, but business continuity and how to address disruptions. Businesses would likely have to have a certain size or scale before they could actually afford to pay an employee for this role.
MME: How is Capital One working with businesses to help curtail cybercrime?
Taylor: Generally speaking, there are some safe computing practices that we are speaking to customers about. These have to do with how to protect the computer environment from outside forces. Frequently, this deals with money movement. Smaller companies need to take cybercrime and their technology security more seriously. Very often businesses are just not aware until it’s too late, and this has become just as important as business continuity.
total
twitter
facebook
google +1
linkedin
No comments yet.