Costing the global economy $375 billion per month, the Coronavirus disease (COVID-19) has exposed many companies’ reliance on their supply chains and weaknesses in business continuity management (BCM). A recent COVID-19 survey found that more than half of companies worldwide did not have a business continuity plan (BCP) in place to offset the impact of incidents such as the current pandemic outbreak.
According to the Allianz Risk Barometer 2021, 62% of respondents selected “initiating or improving BCM” (62%) as the main action companies are now taking in order to de-risk their supply chains. This is followed by “developing/alternative multiple suppliers” (45%), “investing in digital supply chains” (32%), “intensifying supplier selection, auditing and risk assessment” (31%) and “inventory/safety stock management” (17%).
Supply chains under pressure
There are not many positives to take from the pandemic, but a growing realization that the impact of globalization needs to be better managed and more resilient supply chains need to be built is to be welcomed. Many companies have found that their contingency plans were overwhelmed by the rapid pace of the pandemic and changes in public health measures over the past year.
The extent to which some supply chains came under pressure during the COVID-19 pandemic is illustrated by a situation recently faced by automotive manufacturers. Due to a lack of semiconductors, many car makers were threatened with production stoppages, delays in deliveries and measures such as shorter working hours. There were no short-term supply alternatives. Many manufacturers had to cut production, delivering a further blow to an already hard-hit sector.
In the future, businesses will need to consider more and better scenarios in order to prepare for future disruptions. Identifying and understanding potential triggering events is a significant challenge, but the central key to survival is quick response times. The problem isn’t just traditional risks like fire or flood, but increasingly important intangible risks – something COVID-19 has uncovered.
The pandemic’s impact on business-as-usual will be felt for a long time. It forced companies to depend on new or increased digital approaches, as travel and face-to-face interaction was discouraged and remote working increased proportionally – a 2020 Deloitte survey found that 48% of respondents had been forced into at-home working due to the pandemic.
However, new working scenarios also bring the potential for new disruption scenarios. The move toward digital dependence and remote working has exacerbated cyber and business interruption vulnerabilities from threats such as system failures, phishing, compromised emails and the rising number of ransomware attacks. For example, on average, a ransomware attack can result in 16 days of downtime. Maintaining secure backups can significantly reduce losses but a dedicated BCP outlining what a company needs to do in the event of a ransomware attack to minimize disruption could prove invaluable.
What makes a good BCP?
Scenario-based planning critically examines the company’s own setup and the resilience of its supply chains. The BCP, which should have top management buy-in, is a holistic approach that considers essential operations, critical equipment, key personnel, functional vulnerabilities, supply chain exposures and proposed solutions. An effective BCP will involve key personnel from each critical function area, heads of departments and site managers. Employees, as well as managers, should facilitate, understand and take ownership, where possible, of the planning process and implementation.
BCPs should be well-documented in order to satisfy audit requirements and should consist of four key steps:
• Conducting a business impact analysis (BIA) that predicts the consequences of disruption to a business function and process.
• Assessing risks by defining likely threats or vulnerabilities and their business impacts
• Establishing recovery point objectives (RPOs), which describe up to what point in time the business process’ recovery can proceed.
• Establishing recovery time objectives (RTOs), which define how much time it takes to recover after the notification of the business process disruption; and the exercising and maintenance time required to test the plan against different scenarios and make adjustments.
Vulnerabilities could include the facility itself, unique equipment, bottlenecks, logistics, warehousing and inventory needs, manufacturing capabilities and capacities, purchasing restrictions, contractual obligations, supplier shortages and IT system failure, among many other things. These would be spelled out in the overall BCP, which includes several individual plans governing different sub-areas within the organization.
Additionally, developing emergency plans is vital. Companies should account for employees and family members and plans should include clear lines of communication and detailed guidelines for actions at all levels of staff, pre- and post-incident. Plans need to be constantly updated and tested, including having alternative suppliers available. They need to be cross functional and integrated into an organization’s risk management and strategic processes.
De-risking supply chains
The pandemic has added to existing climate, reputational and compliance pressures to rethink supply chains which have become increasingly global and complex. Over the last four decades, a large part of the world’s production has been organized in global value chains with a high degree of division of labor. Raw materials and intermediate products from different countries are shipped around the globe for processing and then assembled at another location. The finished products are in turn exported to end-users in both industrialized and developing countries. In recent years, insurers have experienced a significant increase in the severity of business interruption claims, particularly in the automotive, electronics and manufacturing sectors, where reduced stock levels and increased reliance on fewer suppliers have driven up the costs associated with fires and natural catastrophes.
During the first lockdown, companies around the world were affected by restrictions and temporary closure of operations. There was a flurry of assembly line shutdowns in the automotive industry. As a result of plant closures, the pandemic presented global corporations with the major challenge of getting hundreds of supply links back on track. This was the most difficult task for production planners in the spring of 2020. And, the concern about renewed shutdowns is driving the boards of many companies.
Post-pandemic, a lot of work remains to be done on business continuity and business resilience. In order to manage the risks and develop solutions, businesses will need to collect data, utilize analytics, and then consider what is insurable. Risk management today is very good at insurable risks, but could do better when it comes to non-insurable risks, like intangible assets, supply chains and reputation.