| 13-10-2021 | treasuryXL | Nomentia |

One would think data protection and security measures are baked into our identity as digital people, especially in a year where we are working remote more than ever. But is it though? The breaches show that security is too often seen as something to kind of ‘wing it’. And there is an eternal question whether the best way to a secure IT environment is to educate the employees to make the right decisions or to put measures into place.

We personally believe that security and combatting Fraud is a combination of people, processes, and tools. Security literacy is a skill everyone should have and constantly develop, and companies can further support this by making use of tools such as multi-factor authentication to mitigate risks and implementing processes to keep their corporate environments safe. We think security deserves a 360 degrees view in an organization that is implemented throughout their solution landscape.

Login & User access control

This is a simple thing organisations can implement either with Single-Sign-On and/or multi-factor authentication. Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user logins. A user is only granted access after successfully passing all authentication phases. The different factors are based off of different things as opposed to a simple password which bears some vulnerability. The first authentication phase is based on knowledge. A person needs to know their username and password, and this can also be initiated through single sign on with corporate credentials for a further security increase. The second authentication phase is based on possession. A person must possess and have access to a mobile phone to for example receive a code per text message or a phone call to double authenticate the log-in.

In practice this means, even if a username and password get compromised, cyber criminals will still not be able to login to the account protected with multi-factor authentication. And neither does a stolen mobile phone as both phases are required for a successful login.

One of the potential downsides to multi-factor authentication is that it adds one extra step in the process. And I can admit myself, every time I am going through the process of logging into our internal tools, we are sometimes a bit impatient while waiting for the text message. But it’s a small trade-off for security. Especially since single-sign on also adds convenience.

Single sign on means that people can log into systems with their corporate credentials and just speed up the process on that end. It’s fast and adds an additional security layer which is extremely powerful if paired with MFA.

Integrations

This is a crucial part in terms of security. We believe that monolithic enterprise platforms are dead and best-of-breed solutions that are highly integrated are the future. This best-of breed approach however also ads emphasis on the need to ensure the integrations are safe. Which data is travelling via which channels from where to where? How is the data in transit being secured from theft and man-in-the-middle attacks?

The first step is to map out all needed integrations and systems and create a use case scenario and based on this define the needed setup. For instance, in the context of cash management you might for instance end up protecting payment information with a higher security standards than a simple accounts payable extract that is used to cash forecasting only. The key is to have a companywide and regularly maintained risk analysis process that recognizes risky areas, measures the levels of set controls (preferably audited by external experts) and constantly comes up with better and better controls.

User access control

Understanding and carefully designing which user has access to which data and processes is not bullying your employees but is a crucial step in setting processes in place that further support security. In our case, our customers need to answer questions such as: which user can approve payments, who can add a new account number to the system, who can manipulate user rights, who can make a manual payment, or who can view balance information from banks and the likes.

Infrastructure and Platforms

Making sure that you run your IT infrastructure and solutions on secure platforms is a crucial control point. One would think that in this day and age that shouldn’t be a question anymore, yet we would recommend checking this anyway. How is the user access to databases and servers or other backend artifacts controlled? Are your administrators using multi-factor authentication? Have you segregated the so-called privileged access and user accounts? Do you keep a list of such accounts? Do you collect logs from your systems and store them securely?

Many industry standards come handy here. For us relevant standards are for instance ISO 27001 and ISAE 3402 auditing framework. In our domain particularly relevant is SWIFT Customer Security Program (CSP) which is a security framework developed and derived for financial industry from such international standards such as NIST and PCI DSS. All these standards should not be considered just as acronyms but a toolbox that can help you to build a company culture that takes security seriously in every step and by every employee in every role.

Security comes from within

Above are the steps that each organization can take to ensure that their set-up is secure. Let’s face it, there is no such thing as absolute security. But by establishing a strong security culture in your organization we believe you can make it really hard for criminals to gain access to our systems.

If you want to reach have an assessment of your security measures in terms of people, processes and tools for your cash management, please get in touch with us and we will assess your set-up and provide you options how you can further tighten your security. Cash is king, but hopefully a well-protected king.

CONTACT US 

 

 

 

 

| 29-09-2021 | treasuryXL | Nomentia |

A recent Cash management survey that we did showed that 43 percent of respondents continue to experience issues with their Cash flow forecasting. Unsurprisingly, more than half of the market still use spreadsheets to execute this business-critical function. The million-dollar question is, why?

According to the European Spreadsheet Risks Interest Group, the reliability of a spreadsheet is essentially the accuracy of the data that it produces and is compromised by the errors found in approximately 94% of spreadsheets.

If accurate cash flow forecasting remains one of the key priorities for treasury and finance professionals alike and the market has easy access to affordable, cutting edge forecasting applications, why do we continue to rely on outdated, ineffective forecasting tools?

Common myths prevail that spreadsheets save money, are easy to use & flexible. In the spreadsheet’s defence, it’s a nifty tool, that ticks many of the aforementioned boxes and can work very well with cash forecasting solutions. But, for a growing business looking to mitigate risk and plan for the future, risks run high if you’re relying on a system that’s almost surely flawed, demands hours of manual input effort, prone to human error, exists largely undocumented and which no one really knows how it works.

“After the clever intern, who developed the nifty macros and formulas is no longer around……nobody knows how the application generates the numbers.”

Penny wise, pound foolish 

Spreadsheeting is, by and large, the manual process of gathering, inputting and administrating data. Typically, spreadsheets have been built up and added to over a period of years, becoming cumbersome to manage and share. In an eye-watering number of cases, the person originally responsible for constructing the spreadsheet has long since left the department. No one knows the algorithm behind the macros and no one assumes responsibility for its maintenance, let alone documenting changes and adaptations. The whispered precedent remains, “if it’s not broken, then leave it alone”……… Ouch!

Alternatives are perceived to be more expensive. Excel, for example, is cheap to acquire whilst Treasury Management Systems are expensive with lots of added features that SME’s in particular, don’t require.

Busting the myths

Cost is no longer a plausible reason to rely on spreadsheets for cash flow forecasting. Cloud-based solutions such as Nomentia Cash Forecasting, offer competitive pricing. Modular, on-demand, SaaS solutions have revolutionised application choice. Simply choose the modules you need, pay by the month and no IT involvement required. Free up more departmental time by reducing the number of resource hours required to maintain a spreadsheeting process and the cost-saving just got bigger.

Spreadsheet errors and inaccuracy are by far the most compelling reasons to consider a move to a specialist cash forecasting application. Finance and treasury cannot afford to make mistakes. Inaccurate cash flow forecasts can literally lay to ruin to a company’s business reputation and/or result in a financial loss or penalty. No scare tactics needed.

Mini Case-Study: Conviviality a ‘Spreadsheeting Horror Story’

(Source: The Guardian UK, 21 March 2018)

At first, the drinks retailer Conviviality said profits would be 20% lower than the £70m expected by the City, with £5.2m of the £14m hole that had opened up in its forecast, down to a spreadsheet error. The remainder was a reflection of weakening profit margins.

On 21 March 2018, the Guardian (UK) reported “Firm issues third profits warning; says it will meet investors to raise funds via a share placing’’. The company, in a stock exchange announcement, said it was holding meetings with investors to raise £125m via a share placing that would help it pay a £30m tax bill due at the end of the month, fund overdue payments to creditors and repay a £30m loan.

The company blamed the first shock profit warning on a spreadsheet arithmetic error made by a member of its finance team and weakening profit margins, and then admitted it had not budgeted for the £30m tax bill due this month.”

Conviviality has since gone into administration

Whether or not the use of spreadsheets was the sole cause of this bankruptcy is not clear, but it seems to have been a major contributor. Such cases are exceptional, but they do illustrate how relying on spreadsheets is not a sensible course of action for any finance & treasury team anywhere.

Many spreadsheets also contain, quite clever but complex, macros and apart from keeping these up to date, finance & treasury is responsible for ensuring their integrity. This is something that is not always feasible. Even when errors are spotted it is often very difficult to decode them, especially given the sheer size of the spreadsheets many finance and treasury folk utilise.

Embracing future-proof change

Readily available and affordable cash forecasting applications have, for those organisations who have embraced the benefits of technology, reduced risk exposure exponentially, facilitated real-time & accurate cash visibility, minimised human resource demand, and liberated finance leaders to take a more strategic role across the business. No-brainer.

Sometimes taking a leap of faith, moving away from the old and onto the new, can be a daunting decision. Historical hang-ups, ranging from less than favourable experiences with legacy systems, pre-conceived assumptions around cost implications, and work-flow disruption make it all too easy to decide to ‘leave well enough alone’. Before you take the decision to stick with the spreadsheet that’s done what it apparently ‘says on the tin’ for many years – let’s consider the following:

Back to the future

In a world where cyber security is of the utmost concern and data privacy, e.g., GDPR, is a regulatory requirement, can finance and treasury really afford to run their operations on spreadsheets? Spreadsheet security cannot and does not compare to the advantages of specialist systems that have been built with security in mind. Indeed, some spreadsheet applications lack even basic authentication security, can be easily copied and distributed outside the confines of the business without the knowledge or prior agreement of management.

Spreadsheets were built for convenience-only in a pre-internet world where cyber-attacks and data security were unknown and of no consideration. Spreadsheets were not built with security in mind.

Square peg in a round hole

Spreadsheets don’t grow with your treasury and finance needs. Organisations often try to adapt their spreadsheets to a growing business but soon realise that the complexity of doing so is almost impossible. Adding new accounts and deleting old accounts becomes challenging at the best of times, but managing this critical process in a spreadsheet, whilst trying to drive the business forward, is often a step too far, leading to errors and oversights.

Treasury and finance, by its very nature, consists of a number of different individuals performing a variety of activities, sometimes at the same time. This results in the sharing of valuable company information between several people and departments in any one day. Managing this process on spreadsheets can be difficult and nigh on impossible, even if some automation is achieved. Typically, only one person can update a spreadsheet at any one time so the workload that needs to be shared becomes inefficient and confusing. Maintaining full transparency around additions, edits, and alterations are off the table. Once an edit, or error, is made on the spreadsheet, it remains invisible and untraceable until something goes wrong. In addition, identifying the point of error-impact is often a time-consuming, futile, and frustrating exercise for some unfortunate departmental executive, even if they have the necessary investigative skills.

Doomed to repeat the same mistakes

Spreadsheets are not that good at quantifying or qualifying historical data, and treasury & finance needs this data regularly. That is not to say data cannot be stored in earlier spreadsheet versions, but due to the way they work, it is not a simple task to access, view, assess, and report this data as efficiently and effectively as modern cash management applications. Losing valuable historical data for comparison and variance purposes is a high-risk consideration. Accidentally saving over historic files, or indeed losing files altogether, is a terrifying experience we’ve probably all experienced at some stage in our careers. Notifying management of a spreadsheet faux pas is just as bone-chilling, remaining undisclosed and causing further inaccuracy to forecast outputs.

As alluded to in an earlier blog ‘Five expensive myths in Cash Forecasting’, there is a very real chance that the person who created the original spreadsheet has moved on and left the company. How many finance and treasury departments have found themselves in a position where a mega spreadsheet, long lauded as a ‘work of art,’ is no longer sufficiently supported and documented with non-existent instructions on how to maintain or update the worksheet.

Cassette recorders, big hair, leg warmers, the Rubik’s cube, Walkman, and mobile phones the size of small suitcases are all legacies from the 1980’s. Technology and hairstyles have moved on….. so should cash forecasting applications.

 

 

 

| 01-09-2021 | treasuryXL | Nomentia |

Most organizations would benefit from some form of Bank Connectivity as a service. But just deciding on outsourcing bank connectivity won’t magically make all those connections appear. In this blog, we’ll cover 7 important criteria you should think of when evaluating different options.

1. In which banks do the majority of your payments flow?

Make a list of all banks that your organization is connected with and include all banking relationships from all your subsidiaries. We have noticed in interactions with our customers that this first step can be eye-opening at times. Often, we have an idea of the different banking relationships but then there are still local bank relations that might not be that visual to your treasury function. It also provides you with a good understanding of how many bank connections you would need and whether you would benefit from simplifying your banking landscape before implementing a bank connectivity solution. If your organization is only working with 5 banks altogether the story is very different from an organization that has relationships with 20+ banks.

After mapping this out, you might want to apply the 80/20 rule: typically, you would first set up connections to the strategic banks that cover 80% of your payment flows. A cloud-based software from a Cash Management specialist will most likely be able to provide you these connections as part of their out-of-the-box functionality.

2. Evaluate your use of local banks

Even if you expand the use of strategic banks to more countries, you might still find a set of local banks that you cannot replace. Typically, a discussion about bank connectivity increases in complexity when the long tail of local banks comes into play. That’s where you need to ask yourself why you are working with local banks. Is it for collecting money, for making payments from a regulatory point of view or because of specific needs within your local business?

Having visibility on Cash is straightforward while covering payment flows is not easily justified from a direct cost savings point of view. At the same time payment fraud plays a role in the local banks. You might want to consider a solution to replace internet banks for manual payments with a centralized solution. Then, the business case cannot be backed up by direct cost savings, but cost-efficient risk mitigation.

3. How consolidated is your banking landscape?

After mapping out all your banks in a first step, you know your strategic banks. Now it’s time to take a look at which countries are covered by these strategic banks. Would it be a good time to reduce your banking relations by using a certain set of strategic banks in more of your countries in order to reduce the number of domestic banks?

4. How many file formats and payment types do you have in use?

It is a different thing to set up credit notes and treasury payments only, as opposed to also including domestic payments, salary payments, and tax payments. We recommend having a solution for all your payment types and file formats: this is the only way to get rid of the internet banks and the tokens.

5. Are you concerned about payment fraud and information security?

You should have a solution to cover all payment types in all countries with all banks. That is the only way to have a full audit trail and control in every country. A centralized payment process enables centralized validation and control. We have covered the topic of payment fraud extensively.

In our case, having bank connectivity as a cloud service lets you benefit from a platform, which invests annually roughly 1bn$ in information security. From an information security perspective, this lets us concentrate on application-level security, which is annually audited by 3rd parties.

6. Are you interested in having transparency in your bank fees?

Modern bank connectivity solutions enable transparency in banking fees: Having bank agreements and the related fees included and matched against the banks’ reports. Even more transparency can be gained with services like SWIFT GPI: SWIFT GPI enables banks to provide bank fee information for the e2e chain. Not all banks support these features yet.

7. Choose wisely

Once you go through the questions and mappings outlined above you are at a good place in making your decision for the right bank connectivity provider. It might seem tedious at times and one might think of bank connections as a mere technical thing, but they are so much more. We feel this is a perfect moment to evaluate all your processes and look at ways to harmonize them.

It’s also a great way to work closely together with your colleagues. We recommend approaching this topic in a project team between treasury, finance and IT: From an IT perspective you want to minimize the IT-footprint, finance will run the daily operations and treasury sets the policies and controls.

DOWNLOAD OUR BANK CONNECTIVITY WHITEPAPER