Excerpt
Introduction
WHETHER YOUR BUSINESS is large or small,
whether your company manufactures printed circuit
boards or plastic molding machines or sells
handbags or lawn furniture, it is not unreasonable
to expect that there is a crisis looming some time in its future.
The reality is that no business or industry is immune from
crisis. While our tendency is to think about major disasters that
create havoc and impact whole communities—such as earthquakes,
hurricanes, fl oods, or severe winter storms—for most
businesses, the disaster is more likely to be on a smaller scale.
For most businesses, disaster can come from an event that may
not generate headlines, such as a water main break in the immediate
area, a fi re confi ned to a small section of their business,
or the failure of their IT systems.
And though we tend to think in terms of environmental
disruptions, such as natural catastrophes or pandemics, we
must also consider social disruptions (strikes, sabotage), technical
disruptions (a breakdown of equipment, loss of a key skilled
staff member), political disruptions (terrorist attacks, civil unrest,
nationalization), legal disruptions (legal shutdowns, injunctions),
and economic disruptions (supplier failure, exchange
rate fl uctuations, takeovers).
Just as it is not possible to totally prevent most disasters
and disruptions, it is not realistic to assume that they will
happen to other organizations but not to yours. Being prepared
when the things that "can never happen here? do happen is just
plain good business. Failure to plan for such events can lead
to supply chain disruptions that can devastate company performance,
damage profi tability and stock prices, and result in irreparable
harm to the organization. The consequences can also
result in cascading damage to every business and organization
relying on the timely receipt of your goods or services that enable
them to continue meeting their customers' needs in order
to generate revenue and protect their bottom line. Who wants
to stand in front of a board of directors, senior executives, or a
major customer in the wake of unsuccessful attempts to restore
critical operations following a disaster? Who wants to respond
to their queries about why the threat went undetected, why an
identifi ed risk was not eliminated or mitigated, or why strategies
were not in place to enable the organization to get back on its
feet quickly?
The Effects of a Disaster
In today's global economy, the effects of a disaster can be
more than just local; its impact can reach across country borders
and oceans. In 1995, a magnitude 7.2 earthquake struck
Kobe, Japan, resulting in 5,100 deaths and devastating physical
destruction. Following the earthquake, all area steel mills were
shut down and many other businesses became nonoperational
as a result of water and gas outages. Secondary business and
supply chain interruptions were extensive. Kobe was Japan's
biggest international trade hub and a major production and logistics
center, with approximately 30 percent of Japan's shipping
passing through it. Even businesses with no direct physical impact
suffered because of damage to the utilities, port, railroads,
and roads. Production was impossible, and shipments in or out
were diffi cult to unachievable. When Sumitomo's Metal Industries
Ltd.—the sole source of brake shoes for Toyota—closed
its plant in nearby Osaka, most of Toyota's plants in other parts
of Japan closed as well. For companies like Toyota that used a
just- in- time (JIT) inventory management system and relied on
frequent shipments of parts and materials, there was little available
inventory on hand, leading to an interruption of production.
According to published estimates, Toyota lost $200 million
in revenue. Moreover, the disaster cascaded and caused supply
chain interruptions for businesses in other parts of the world,
including U.S. companies IBM and Apple, which relied on displays
produced in Kobe.
Even a seemingly relatively small emergency can result in
a large business disruption. In 2000, a Phillips microchip manufacturing
plant in New Mexico was struck by lightning, creating
a small fi re. Though quickly extinguished, the fi re caused contamination
in the sterile manufacturing facility, contaminated
millions of chips, and halted the chip- making process. The
company's two primary customers were the two largest mobile
phone companies in Europe, which used chips manufactured at
the plant in cellular telephones. One of the companies, Nokia,
became immediately aware of the disruption in chip deliveries
and acted quickly, working closely with the chip manufacturer.
Nokia arranged to purchase chips from another of its primary
supplier's plants as well as other alternative sources, quickly tying
up the spare capacity. Some phone models were even reengineered
to allow the use of chips from yet other suppliers.
With pre- disaster plans in place, Nokia was able to continue to
assemble and distribute its products and gain a greater market
share. On the other hand, Ericsson—the other mobile phone
company affected—purchased all its microchips parts from the
single source to simplify its supply chain. Ericsson did not respond
quickly enough, had no supply chain continuity plan in
place to obtain the chips, already in short supply, from another
source; and suffered a lengthy and costly disruption in its assembly
and distribution processes. The resulting inability to
launch new products, loss of market share, and fi nancial losses
in the hundreds of millions of dollars made it necessary for
Erics son to merge with another company just to survive. The
overall outcome was a permanent shift in the balance of power
between the two electronics giants.
Mishaps such as technological failures—even those that
occur outside the organization—can become an inherited disaster.
When a major power outage started shortly after 4:00 P.M.
EDT on Thursday, August 14, 2003, within three minutes, twentyone
power plants shut down, impacting eight states—including
New York, New Jersey, Ohio, Michigan, Connecticut, and Pennsylvania—
and parts of Canada, including Ontario. Estimates of
the total cost of the blackout have ranged from $4 billion to $10
billion in lost income to workers and investors, extra costs to
government agencies, repair costs to the impacted utilities, and
costs for lost or spoiled food and other commodities.
Consider what a similar power outage would mean for
your organization. Approximately one- fourth of the businesses
hit by the outage reported that their resulting losses were more
than $40,000 per hour of resulting downtime, and some indicated
they lost more than $1 million each hour there was no
power. Some companies reported that the outage disrupted deliveries
from suppliers and deliveries to customers. In Michigan,
cascading consequences were reported even outside the blackedout
area as a result of delayed and extended delivery times for
parts and materials, particularly disrupting for manufacturing
operations with JIT scheduling.
Taking the Necessary Steps
In managing risk, there are three fundamental truths:
1. Only a working crystal ball would enable us to predict all
the risks that our organization might face in the future.
2. We cannot fully control risks.
3. By developing and maintaining an enterprise- wide business
continuity program that includes all internal and external
components of the supply chain, we can prepare to manage
risks in order to continue meeting stakeholder expectations
when disasters occur.
If we can agree that disasters are inevitable, it would
seem logical that we must also agree that it is wise to take the
necessary steps to manage our risks to the extent possible and
to reduce the effects of disruptions through planning and preparedness.
In my work with clients, I have undertaken the mission of
integrating the internal and external supply chain links in continuity
planning, and it has often been a hard sell. Fortunately,
that is changing as there has been a realization that the supply
chain from procurement through delivery is the revenue source
for most companies and is directly tied to cash fl ow, profi tability,
growth, and the related intangibles such as protection of the
brand, customer trust, and stakeholder confi dence.
There is a growing awareness that a disaster that impacts
the supply chain is a disaster for the entire company. Incidents
affecting the supply chain were often overlooked in earlier business
continuity planning, but this is changing. One indication of
the increasing realization of the vulnerability of today's supply
chains and the importance of fully including the supply chain
in all aspects of risk management, including business continuity,
came at the Institute for Supply Management (ISM)'s 95th
Annual International Supply Management Conference and Educational
Exhibit, held in April 2010. The conference included a
risk management track with daily workshops focused on connecting
risk management to supply chain management. In addition,
the four- day event offered two half- day sessions dedicated
to business continuity and the supply chain.
I have specialized in business continuity, disaster recovery,
and emergency management consulting for twenty years.
I have been a Certifi ed Business Continuity Professional with
the Disaster Continuity Institute since 1998 and a fellow of the
Business Continuity Institute since 2002. I've worked with utility
companies, luxury fashion goods companies, a hot sauce
manufacturer, a PVC pipe manufacturer, a division of a car
manufacturer, and government agencies, among other organizations.
I've watched as business continuity has matured to become
what it is today, and I have witnessed what works—and
what doesn't—when developing and maintaining a successful
continuity program. In A Supply Chain Management Guide to
Business Continuity, I want to pass along my lessons learned by
providing a resource for all those who want to better manage
supply chain risks. I would also like to raise awareness of the importance
of business continuity planning as an enterprise- wide
issue that must include the supply chain to fulfi ll its purpose.
My goal is to provide an easy-to-read, easy-to-understand
book that focuses on supply chain business continuity within the
framework of an overall business continuity program. While the
terminology used is corporate- centric, the principles and planning
methods can be applied in all types of organizations, large
and small, including not- for- profi ts and government agencies.
Back to Top
Table of Contents
Contents
Foreword
Acknowledgments
Introduction
CHAPTER 1 Business Continuity Basics
What Business Continuity Is . . . and Is Not
The Value of Business Continuity Planning
A Historical Perspective
Business Continuity Planning: A New Responsibility
Some Additional Key Terms
Going Forward
CHAPTER 2 The Business Continuity Program:
Who Owns It, What Drives It?
Managing Risk
Who's in Charge, Who's Responsible?
What Drives the Need for a Business Continuity Program?
Business Continuity and Risk Management: Similarities and Differences
Rules, Regulations, Requirements, Guidelines, and Implications
A Business Continuity Plan vs. A Business Continuity Program
Going Forward
CHAPTER 3 Business Continuity Best Practices
Developing a Business Continuity Program
The Business Continuity Planning Process
Hazard Assessment
Business Impact Analysis
Strategy Development
Plan Development
Program Testing and Implementation
Avoiding Business Continuity Silos
A Holistic Approach to Risk Management
Going Forward
CHAPTER 4 The Organization, the Supply Chain,
and Business Continuity
Enterprise- Wide Disaster Readiness
Incorporating the Supply Chain in Business Continuity Planning:
An Integrated Approach
Assessing Current Preparedness
Going Forward
CHAPTER 5 Risk Identification and Hazard Assessment
The Changing Face of Supply Chain Risks
Identifying Supply Chain Risks
Mapping the Supply Chain
Avoiding Inherited Risks
Applying the Hazard Assessment to Develop a Mitigation Program
Creating a Solid Foundation for Business Continuity Planning
Going Forward
CHAPTER 6 The Business Impact Analysis
The BIA: The Foundation of Business Continuity Planning
Conducting the Business Impact Analysis
Identifying and Prioritizing Critical Elements of the Supply Chain
The Business Impact Analysis Report
Going Forward
CHAPTER 7 Supply Chain Business Continuity Strategies
Devising Strategies for Managing Risks
Developing Strategy Options
Identifying Critical Suppliers
Examining Outsourcing Options
Addressing Transportation Concerns
The Role of Purchasing and Procurement in Continuity Planning
Supplier Selection
Contracting with Suppliers
Supplier Monitoring
Ensuring Continuity Support in Procurement
Partnering with Suppliers
Disaster Recovery: IT Support of the Supply Chain
Considering the Human Factor of Business Continuity Planning
The Importance of Disaster Communications
Going Forward
CHAPTER 8 Business Continuity Plan Documents
The Purpose of Business Continuity Plans
Developing the Plan
Avoiding Plan Gaps
Reviews and Updates
A Sample Basic Plan
Going Forward
CHAPTER 9 Testing and Maintaining Business Continuity
Plans
Training, Exercises, and Tests: The Key to Workable Plans
Plan Reviews and Maintenance
Going Forward
CHAPTER 10 Business Continuity Standards, Regulations,
and Requirements
Regulations, Planning Guidelines, and Standards
Personal Certification
Going Forward
APPENDIX A Business Continuity Planning Assessment
Questionnaire
APPENDIX B General and Supply Chain-Specific Hazards
Checklist
APPENDIX C Pandemic Planning
APPENDIX D The Business Continuity Team
APPENDIX E Continuity Plan Samples
Glossary
Index
Back to Top