By Tim Guido, Corporate Director, Performance Improvement, Sanmina

In recent years, many organisations have started to adopt a broader perspective when it comes to risk-based thinking. Much of this can be attributed to the ever-increasing requirements of regulatory compliance as well as unexpected macro factors that have impacted operations.

Indeed, a whole range of industries, including the automotive, medical and semiconductor sectors, are now required to comply with stringent third-party standards to ensure quality, reduce risk and control processes during the manufacturing of products.

Risk management is essentially about being aware of what could go wrong, understanding the likelihood of a crisis happening, what the possible impacts are should it occur, and what can be done to mitigate and address it. The element of risk that an organisation can manage will be largely dependent on the impact of what could go wrong.

Take the scenario whereby a manufacturer wants to introduce a new production line. They will need to explore all of the potential risks and plan for every possible action that could prevent or mitigate a risk, should it materialise.

This approach is widely referred to as risk management, disaster management or business continuity planning. Never has this been brought to the forefront more than in recent years when businesses have been faced with significant challenges including the pandemic, supply chain shortages, the impact of Brexit, extreme weather and trade wars.

Implementing a robust risk management programme

Risk management is focused on the investment in preventative and mitigating measures that can be employed during a crisis situation. When developing a risk management or business continuity programme, there are four main areas to consider:

Assessing Risk: The first action is to consider and determine what could potentially go wrong at each site, plant, facility or office across your organisation. The specifics of this will vary, in some cases significantly, from region to region. The chances of a significant weather phenomenon such as an earthquake occurring will be more likely in the US than the UK for example, whereas the UK and other countries in Europe face differing regulations when it comes to data protection.

With this in mind, let’s again consider the scenario of a manufacturer implementing a new production line. Firstly, a risk assessment form would be needed covering a number of different areas such as Finance, Health and Safety, HR, IT, Operations and Programme Management.

The individual completing the form would need to identify a range of potential risk scenarios and their associated impacts, from anything that could jeopardise the health and safety of employees to the consequences of delays with shipment. A threat rating would then need to be applied to each possible event, typically between 1-5, with the latter end of the scale denoting a critical incident or situation requiring urgent and immediate attention.

Next, prevention and mitigation are factored in based on what elements could contribute to an adverse incident occurring. This includes analysis of if anything can be done in preparation to prevent or negate the possible impact of such an event. For example, while a cyber-attack may be next to impossible to completely prevent from ever taking place, an organisation can clearly make sure they have a robust security policy in place for employees, state-of-the-art security protection controls running, and regular red-teaming exercises conducted to ensure they are as best prepared as possible should an attack take place.

Planning for Recovery & Business Continuity: Building out all of the details for incident management and business recovery is essential. This includes creating a key contact list with a specific individual or set of individuals responsible for notifying all affected stakeholders during a crisis situation. Ensuring that customers and suppliers are notified early on is not only important from a crisis comms perspective, but it may also be beneficial in terms of them being able to be part of the solution. Clear checklists and drills must be in place, including instructions for ensuring staff can quickly and safely evacuate a facility if needed. A call notification script is also a vital component, ensuring that there is consistent communication to relevant stakeholders, with the relevant information relayed at the right time.

The next steps in the first day, two days and three days following a disaster or crisis situation must also be clearly mapped out ahead of time. This will help ensure the streamlining of processes in terms of getting operations back up and running when it is safe to do so. The type of information included here might be details such as alternative locations to resume operations from. While flexibility and adaptability are key during a crisis situation as circumstances can quickly change and be unpredictable, having the framework of a draft plan in place to refer to will help save what could be valuable time. Finally, it is imperative that these plans are reviewed and updated as needed regularly (at least annually) to keep them relevant.

Internal Audits: As well as ensuring a business continuity / business recovery plan is reviewed regularly, it should also be audited on at least an annual basis to ensure that the correct individuals are leads are identified and verified. Every section in the plan must be evaluated during the audit process, with all employees noted as having key responsibilities properly trained and aligned with the agreed company approach.

Preparedness Testing: Every manufacturer should carry out a test exercise of the highest-priority emergency situations they could face in order to assess their readiness. They need to be able to demonstrate data recovery capability from an IT perspective and a timeline should operations need to temporarily be moved to another location. Setting objectives in this scenario is also a good idea, such as for the relevant stakeholders to be notified within one hour in the event of an emergency.

Evaluation of the success or otherwise of a test drill after the fact is also vital. If the key actions required such as notifying the relevant stakeholders, regaining access to the site or starting up operations at an alternative location can all be demonstrated during a drill, then a lot of the groundwork is in place. As with evaluating the business continuity plan, test exercises should be carried out at least once a year.

Prevention is the best cure

At Sanmina, we are seeing growing demand from customers to demonstrate that they we robust risk management programmes in place. The appetite for these plans is stronger than ever before, and they are considered an integral part of a business’ overall manufacturing strategy. Key to this is the culture of an organisation when it comes to risk management. It is imperative to foster, embed and instill a preventative mindset, which is not always an intuitive thought process. Being able to quickly resolve issues in the face of a crisis is of course vital, but even more important is a proactive thinking mindset as to what the potential causes for a disaster are. Alongside this, it’s critical that manufacturers continually evaluate the breadth and effectiveness of their business continuity plan to similarly nurture a culture of commitment to risk management.