If there is one area in treasury where a policy is necessary, it is risk management. Having formal policies for risk sets parameters around a company’s exposures. The policy should outline treasury’s role, as well as the responsibilities of senior management and other departments.

AFP’s latest Treasury in Practice Guide, underwritten by Kyriba, examines different risk management policies that treasury can implement.

CYBERRISK MANAGEMENT

The 2020 AFP Risk Survey revealed that treasury and finance professionals find cyberrisk to be the most difficult risk to manage, and that challenge is expected to continue for at least the next three years. While organizations across the board are adopting cybersecurity safeguards and implementing robust training programs, it is clear that those committing the attacks are not discouraged by these protections.

Kyriba has observed much greater attention being paid by CFOs on policies around cyber over the past five years, which has coincided with the dramatic rise in the complexity of cyberattacks. As such, it’s important to be specific in your procedures. “Many organizations have suffered from writing policies that lack sufficient detail about how to manage exceptional situations, such as management requiring one-off payments,” said Bob Stark, vice president of strategy for Kyriba. “In many payments fraud examples, it wasn't necessarily someone inside the organization not following policy; it’s that the policy was too vague to be effective.”

To be more precise, payments policy should dictate how to manage typical payment scenarios, as well as unexpected scenarios such as the “real” CEO actually needing an emergency wire to be sent. The policy needs to also cover the exceptions to be effective.

For example, does your CEO actually have the authority to email the treasurer and say, “I need a wire today. You actually can't tell people about it, because it is secret and for a real acquisition.” You might have a policy in place that says that treasury can’t just wire the money, but does the CEO understand that? And does your staff have the confidence that you will back them up if they say no to the CEO when he tries to break the policy? These are the questions that need to be asked and answered. “The policy should be that you have to follow it, every time,” Stark said. “So it's that sort of thing that organizations will differ, but they used to be fairly vague around this or be silent on it.”

Stark advises companies to digitalize their procedures wherever possible. “CFOs and treasurers are asking for technology that helps enforce their controls, so they have confidence that cash, payments or bank account management procedures are following policy,” he said. “Treasury and payments software can ensure the policy is being followed.”

For example, your organization may apply the four-eyes principle as a policy. But that might not be specific enough, because who are the four eyes? More than two people will probably see the payment, so which two are the ones that count? You may need to delineate to a detailed level, especially when the CFO or the treasurer need to be directly involved with a payment. “A payments policy should be scenario-driven, so that certain payments require ‘four eyes,’ while other scenarios require six or eight eyes,” Stark said.

Some treasury policies require investing in cyber insurance, which in turn can help assess the overall threat level. “Insurance companies will conduct a thorough analysis of your systems to give you a good understanding of your risk as part of their premium determination,” said Tom Hunt, AFP’s director of treasury services.

FX RISK MANAGEMENT

For FX risk, the AFP Manual of Treasury Policies notes that a policy should establish key principles that will guide treasury in the company-wide communication and implementation of risk management activities. The policy should be split into two parts. The first section defines the importance of having an FX risk management strategy, recommends a policy development and approval process, provides guidance around monitoring compliance, and considers ways to manage exceptions. The second half identifies risk exposure and measurement, and comes up with hedging strategies and reporting guidelines.

Treasury should develop the policy, though it will require oversight and review from senior leadership, and input from other departments like tax, internal audit and accounting. The CFO should approve the policy; at some smaller organizations, this may be the final level of approval. Larger organizations may have a risk management committee and/or board of directors that provides the final approval.

According to the manual, a good policy should:

• Provide clear guidance and communication on the definition of risk
• Ensure linkage to the company’s overall business objectives
• Reduce the potential for miscommunication and errors in managing the FX program
• Ensure that the organization’s risk management objectives are met, and the hedging strategy is well-executed.

Just like mitigating fraud risk, handling FX risk requires a lot of oversight. DHL has a policy that requires subsidiaries to hedge if there is a high amount of balance sheet risk. “And then you're required to hedge with a parent, if it's legally allowed,” said Bob Whitaker, CTP, senior vice president of corporate finance for DHL and chairman of AFP’s Board of Directors. “If it's not legally allowed, in a country such as Brazil, then you need our approval to set up a hedging program. Because when you get into hedge instruments, there are a lot of risks and you don't want people off doing their own thing.”

Mitigating risk at a company the size of DHL is incredibly difficult; it isn’t really feasible to create a blanket policy for subsidiaries in 200 countries. But the treasury department’s overall rule is to restrict anything that is considered high risk. “You have to come to us to pick an open bank session, you have to come to us if you want to borrow money, and you have to come to us to do hedges,” Whitaker said. 

At Conair, the purpose of its FX hedging framework is all around ensuring that the company is protective in nature. If there is anything unusual, treasury works cross-departmentally to keep everyone in the loop. “We go to accounting and say, ‘Hey guys, this is what we're doing. We don't see any issue here. Do you see any issue with we’re going to do?’ So that just helps everybody know that what we're doing,” said John Dourdis, CTP, vice president and treasurer for Conair. “That way, there are no surprises, and people are aware of any financial swings of the currency. So part of our procedure is to ensure that we bring in our colleagues in our cross-departmental groups.”

Many FX policies are even more complex, as they often need to specify when exposures should be hedged, as well as when and how the treasury team should pursue organic reduction of net exposures. When an organization decides to hedge, it may have different policies for balance sheet hedges, which often settle within the quarter to avoid derivative and hedge accounting, and cash flow hedges, which are typically longer duration. Furthermore, an effective policy may also limit certain durations (e.g., not more than six months) with different percentages at different timing intervals—one month, three months, six months, etc. Finally, many FX policies need to be clear about what instruments are to be used. Many organizations only use forward contracts, while others will allow plain vanilla options or even more complex option strategies. 

But it’s not a given that every organization hedges. Some of the largest companies in the world do not hedge, instead choosing to organically reduce net currency exposures. “Corporate policy should determine how exposures are identified and how risk is to be managed,” Stark said. “If a company chooses not to hedge their balance sheet exposures, for example, procedures should still be in place for situations like Brexit. A silent policy on currency risk scenarios can have significant impacts on earnings per share.”

For more insights on effective treasury policies, download How Strong Policies Support Best Practices in Treasury.