[2023 Guide] Business Continuity in Manufacturing

This post was originally published at https://invenioit.com/continuity/business-continuity-manufacturing/

Maintaining business continuity in manufacturing is critical for preventing a costly halt in production. But unfortunately, not all manufacturers are equipped to prevent every disruption.

From natural disasters to data loss, manufacturers face a wide range of threats that can interrupt operations for hours, days or even weeks. In this post, we outline some of the key systems and planning strategies that can help these companies avert a major disaster.

Why business continuity in manufacturing is so important

Every manufacturer knows the fear of an unexpected freeze in production …

When a product can’t be produced, it can’t be ordered. When it can’t be finished on time, it can’t be delivered on time. When workers can’t do their jobs, productivity and profits go down the tube.

These consequences can translate into a major loss of revenue and potentially breach customer agreements in the process.

It only snowballs from there.

Production disruptions almost literally “throw a wrench in the works,” affecting nearly every other operation within the organization. They can sever customer relationships … hurt the company’s credibility … and weigh down the bottom line for years to come (assuming the company even makes it that long): a?failure to maintain business continuity?in manufacturing can threaten a company’s survival.

Threats to production

One of the most common threats in manufacturing is a breakdown in production equipment. That’s why manufacturers invest heavily in human capital, hiring skilled engineers and other specialists who can rapidly make repairs when needed.

However, manufacturers should be investing just as wisely in protection against other threats that are as destructive:

• Malware: Cyberattacks like ransomware can destroy your data in a matter of minutes, making your critical applications unusable and locking you out of the files that your company runs on.
• Natural disaster: Severe weather events and other natural disasters pose a major risk to your manufacturing equipment and personnel. If a factory is destroyed, and there’s no backup plan, operations may never resume.
• Fire & smoke: Even if a fire is contained, smoke damage can derail your production schedule and cause a health risk to workers. Manufacturers must not only comply with local fire codes to prevent accidents, but also must have a continuity plan that ensures production can continue soon after a disruptive incident.
• Flooding: Whether due to a severe weather event or interior damage, such as a pipe break, flooding inside a building can cause costly damage to manufacturing equipment and processes.
• Utility outages: An extended power outage or loss of other critical utilities like natural gas can result in lengthy manufacturing interruptions. Having access to redundant systems is essential for manufacturers that cannot afford to wait on utility companies to restore service at their leisure.
• IT disruptions: Data loss, network outages, server failure, software errors – each of these disruptions can have a severe impact on manufacturing operations, especially if there are no continuity systems in place.

A $1.4 billion nightmare

One of the most high-profile manufacturing disruptions in the last few years was the 2017 ransomware attack on U.S. pharmaceutical giant Merck. Hundreds of companies around the globe were sidelined by the same ransomware strain, commonly referred to as NotPetya. But in the years that followed, details emerged that showed the attack was particularly costly for Merck.

The attack?disrupted?the company’s manufacturing, research and sales operations. Company email went down. 70,000 employees lost access to their computers (many were told to simply stay home).

Initial estimates put the financial impact of the attack at about $310 million. But the full scope of the damages didn’t become clear until 2022, when Merck won a lawsuit against its insurance company to recoup some of the losses. The lawsuit revealed the real costs of the Merck ransomware attack totaled $1.4 billion.

Here’s how the costs added up, according to court proceedings:

·??????$135 million in lost revenue

·??????$175 in remediation costs to bring Merck’s systems back online

·??????$870 million to remediate disruption and encrypted files; improve security; and acquire new equipment

These are staggering figures, especially considering that the disruption was initially believed to have lasted only a week. These numbers should alarm every manufacturer, especially smaller companies that don’t have the same financial resources to survive such an outage.

Manufacturing disaster recovery plan template

A disaster recovery plan (DRP) is a comprehensive document that outlines an organization’s protocols for responding to an operational disruption. A DRP is sometimes also referred to as a business continuity plan (BCP), although the two documents are actually a bit different. (Disaster recovery is a subset of business continuity and is sometimes focused specifically on IT-related disasters.)

Every manufacturing company—and indeed all organizations, regardless of industry—should have both a BCP and a DRP to ensure the organization is prepared for every possible disaster.

While every company is unique, a basic?manufacturing disaster recovery plan template?should include the following sections:

Plan objectives

Overview of what the DRP aims to achieve and which operations it covers. Stating the plan’s objectives makes it clearer what the plan aims to achieve: its scopes and limitations. For example, if the DRP is focused solely on IT operations and not the entire business, this must be spelled out.

Disaster recovery teams

List of personnel who are responsible for activating the plan and overseeing the recovery. Include the contact information of your primary disaster recovery teams. Leave no doubt about who will be managing the plan and managing recovery efforts when the plan is activated.

Risk assessment

Analysis of the most likely threats to IT or the organization as a whole (as relevant to the plan objectives). This assessment is critical to understanding the many different scenarios in which your manufacturing operations can be disrupted. See the “threats to production” section above for common risks, although those are just a few examples.

Business impact analysis

How each of those threats would disrupt operations. This section should include detailed estimates on the projected length of an outage, cost, impact on other critical processes and so on. Each threat listed in the risk assessment should be evaluated for its impact on the business.

Recovery protocols

Specific steps that should follow each type of disruption in order to resume business. Provide clear, step-by-step procedures for recovering from the various threats outlined in the risk assessment. When applicable, consider using visual graphics, such as flowcharts, for added clarity.

Continuity deployments

A list of current systems and processes that help to maintain continuity if/when those disruptions occur. This can include the manufacturer’s data backup systems, antimalware systems, network solutions and so on. Identifying these deployments helps to identify any gaps in the planning that will need to be resolved.

Contingencies

Backup plans, assets, equipment and locations that can be used to continue operations if primary resources are unavailable. Aside from data backups, manufacturing companies must have dependable failsafes for restoring their operations if/when primary resources are disrupted. For example, if the primary production line is destroyed, a secondary site should be able to be activated.

Communication

How disaster recovery teams will communicate with each other, with stakeholders and with all other personnel to keep them updated on operational status. Include the devices and communications that should be used by your recovery teams, as well as resources such as company intranets/sites, SMS systems or call-in lines that will be used to reach employees during a major disaster.

Plan evaluation

A schedule for how often the plan should be reviewed and updated. Disaster recovery plans can quickly become outdated. Systems are replaced; employees exit the company, roles change; new threats emerge and so on. Provide a clear timetable for evaluating and updating the plan (and by whom).

Vulnerable to attack

Over the last few years, the manufacturing industry has been?hit hard?by ransomware attacks.

Boeing, Nissan, Mondelez and Renault are just a few of the big-name producers that have been derailed by infections.

Hackers are specifically targeting manufacturers because they know that these companies are often more willing to pay higher ransom demands if their production is halted. But that’s only part of it.

Experts say that manufacturing companies also tend to be more vulnerable to attack, due to use of outdated software and unpatched operating systems. Production systems are often supported by older applications that were built in-house and have not been updated with the latest security controls. Hackers then take advantage of these flaws (as well as mishaps by unsuspecting employees) to infiltrate the company’s network.

And unfortunately, despite the fact that some subsets of manufacturing, such as pharmaceuticals, are highly regulated by federal laws, the industry does not face the kind of strict business continuity regulation as sectors like healthcare do.

A lack of redundancy

Creating operational redundancy is one of the best things manufacturers can do to ensure continuity after a disruption.

• If equipment fails, there should be a backup (or parts readily available for quick repair).
• If employees go on strike, there should be others who are already trained and can quickly fill in their shoes.
• If critical data is lost, there should be a backup.
• If an entire facility is destroyed, there should be another location ready to go.

Understandably, small manufacturers won’t have the resources for Redundant Everything. However, they should still have a plan.

Anticipating a potential disaster, and knowing how to adequately respond, is the best thing a company can do to avert a prolonged disruption (which is why a thorough risk assessment and impact analysis are so important).

For example, a small manufacturer might not be able to afford secondary production equipment that just sits around in case of a disaster. However, they should absolutely have a plan for repairing such equipment, or quickly acquiring new equipment, or leasing some through a third-party facility if needed. There must be a plan for how the business will keep running.

The need for better data backups

We’ve mentioned how ransomware and other forms of data loss can threaten manufacturers. Whether it’s customer records, inventory data, order information or the software that keeps everything running, a sudden loss of this vital data can bring operations screeching to a halt.

Having backups is essential. But also, it matters how that data is backed up and how dependable it is when you need it most.

Too many manufacturing companies are relying on outdated backup technologies that are prone to failure during recovery and also vulnerable to threats like ransomware.

For stronger data protection, companies should be deploying advanced?disaster recovery systems?that provide:

• Higher backup frequency:?The ability to perform backups more often (every few minutes, if necessary), so that data loss is minimized when you need to roll back to the last recovery point.
• Faster access to data:?The ability to instantly recover lost files or even whole servers via virtualized backups or other recovery methods. With virtualization, you don’t need to wait for a full restore to start using your critical applications again – you can spin up a machine in seconds.
• More resilient backups: Dependable backups that don’t fail during recovery and are protected by automated checks that validate the integrity of the data. For example, BC/DR solutions from Datto use image-based backups that capture a complete picture of a protected server at every backup, without being dependent on previous backups.
• Hybrid cloud protection: Backups stored locally and in the cloud to create redundancy in case on-premise infrastructure is destroyed.
• Built-in ransomware detection: An added layer of?protection?built into the backup system, a la the Datto SIRIS and ALTO, which automatically scan each backup for signs of an infection.

Now more than ever, manufacturers depend on data to keep production moving. A failure to adequately protect that data is just as risky as failing to safeguard any other aspect of your operations.

Without proper planning, combined with detailed protocols and dependable BC/DR technologies, producers leave their companies at risk of a catastrophic break in continuity.

The case for cyber insurance

Even with backups, manufacturers need to be prepared for the risk of costly cyberattacks such as ransomware. As such, cyber insurance has become an increasingly common layer of protection for manufacturing companies (and other sectors) to recoup losses that do occur. This is especially critical for smaller manufacturers that do not have the financial resources to withstand an extended outage or large-scale data loss.

Sonit Jain, CEO of GajShield Infotech, writes for CXO Outlook: “Cyber insurance is needed for the following liability coverage in case a cyber-attack hits a manufacturing company’s business architecture, [including] first-party liabilities such as credit monitoring, identity theft, procurement data restoration, contact centre set up, direct ransomware attacks and similar others.” Additionally, he writes, insurance can provide coverage for the costs of lawsuits, regulatory investigations and electronic and social media liability.

Business continuity plan checklist for manufacturers

Throughout this post, we’ve highlighted some of the core components of a business continuity plan for manufacturers. But if you’re developing a BCP for the first time, then it may help to have a high-level overview of what you’ll need to create the plan. Here is a checklist of basic questions you can use to get started:

o??Who will create the BCP? Which individual(s) will manage it over time? Will they have access to different department heads to gather the information they need to develop the plan?

o??What is the objective of the BCP? Is it focused on a single aspect of operations or the entire company?

o??How often will the plan be reviewed? When should it be updated?

o??What are the risks? Which threats pose a risk to production or critical business operations?

o??What is the impact of those threats? What do those events actually look like? What will they cost? What reverberations will they have on other aspects of the business?

o??How can they be prevented? What systems or strategies can prevent these disruptions from occurring in the first place?

o??What is the best response? When disruptions occur, how can the impact be mitigated? Which steps can shorten the duration?

o??How can the business recover? What are the procedures for disaster recovery? Which systems should be leveraged? What contingencies are needed?

Frequently asked questions (FAQ)

1. What is a business continuity plan in manufacturing?

In manufacturing, business continuity plans are used to identify the systems and procedures for maintaining operations during a disruptive event. Plans typically include detailed risk assessments, impact analyses and protocols for disaster prevention, mitigation and recovery.

2. What are the 3 main areas business continuity focuses on?

Business continuity has three main goals: 1) identifying risk, 2) preparing for disaster, 3) restoring operations after a disruption. Together, these three main areas of focus help an organization to understand the threats to its operations and ensure that it can continue operating.

In manufacturing, business continuity planning is critical for preventing disruptions to production and responding swiftly to any event that disrupts manufacturing processes.

3. What are examples of business continuity?

Business continuity refers to any situation in which a business has implemented systems, failsafes or procedures for maintaining operations after a disruption. In manufacturing, some examples include:

·??????Restoring data backups after data loss

·??????Using backup generators during utility outages

·??????Making quick repairs to restore damaged production lines

·??????Activating secondary manufacturing sites

·??????Rapid hiring initiatives during a worker strike

Conclusion

In manufacturing, any break in business continuity can be disastrous. Regardless of the source—ransomware, equipment malfunction, utility outage or some other threat—manufacturers stand to lose millions when production lines are halted. As such, it’s critical that these companies take business continuity planning seriously.

Manufacturers can significantly curb the risk of operational downtime by implementing sound disaster recovery procedures and IT systems such as data backup. So when disaster strikes, companies can keep their doors open and keep production moving. ?