Managing manufacturing risk
In the face of many unpredictable macro events that have disrupted manufacturing operations and increased requirements around regulatory compliance, many businesses are dedicating more time to risk-based thinking.
By: Tim Guido, Corporate Director, Performance Improvement, at Sanmina.
The automotive, medical and semiconductor industries, for example, have to comply with rigorous third-party standards in order to safeguard against risk and ensure quality control during production.
Having an awareness of what could go wrong as well as potential impacts and possible ways to mitigate the consequences is essentially risk management. How much risk a company can handle is mainly dictated by the scale of what could go wrong.
Consider for example a manufacturer that is introducing a new production line. This requires an examination of all possible risks and planning for each step that could be taken in order to avert or address that risk if it were to occur.
Such an approach is commonly known as risk management, business continuity planning or disaster management. This has arguably never been more relevant and prevalent than it is today at a time when companies have had to deal with major events including the COVID-19 pandemic, Brexit, extreme weather conditions, supply chain shortages and now the beginning of a new war.
Ensuring a comprehensive risk management programme is in place
As previously mentioned, risk management is largely centred on the investment and implementation of specific measures that can be deployed in the event of a crisis. There are four main areas to think about when planning a risk management programme:
- Risk Assessment: The first step is to identify what could go wrong at every plant, office, site and facility across a company’s operations. The actual details of this will of course likely differ, depending on the location. For example, in certain areas of the US, there are likely to be more chances of an earthquake occurring than in areas of Europe, whereas European businesses typically face tougher and more nuanced compliance regulations around data protection.
Now consider the aforementioned example of a manufacturer wanting to introduce a new production line. The first step to take would be to complete a risk assessment form covering areas including IT, HR, Finance, Health & Safety and Operations and Programme Management.
The person filling out the form would be responsible for determining all of the possible risks and associated impacts. Each identified risk would then require a threat rating to be applied to it, which generally is categorised between 1-5, with 5 signifying a critical incident that demands urgent attention.
From there, steps to take in terms of prevention and mitigation need to be factored in. In the case of a cyber attack, while complete prevention may be impossible, there are undoubtedly a number of important steps that can and should be in place to mitigate the impact of an attack. This would include ensuring employees are aware of the company’s security policy, that the most up-to-date security protection controls are in place, and so on.
- Business Continuity Planning: Meticulous planning is essential when it comes to incident management and business recovery. A key contact list should be created with responsibility for alerting key stakeholders during a crisis. Notifying customers and suppliers is not only vital from a communications standpoint but could also be valuable if they are able to help with the next steps towards a resolution. This requires a call notification script to be in place, which will ensure consistent and clear communication to all stakeholders at the right time. All of this can be practiced ahead of time in terms of drills to ensure that staff are aware of what to do during a crisis.
Additionally, what should happen in the next 24, 48 and 72 hours after a crisis occurs must be put into consideration. Returning to operations when it is safe to do so can happen more quickly if this has already been thought through in the planning stage. Clearly, it is important to be flexible during a crisis situation as not everything can be predicted and things can change quickly, but there is no doubt that having a framework plan to work from will make a big difference when every second counts. It is also vital that the plans are regularly reviewed and updated on an annual basis to ensure they remain relevant and fit for purpose.
- Regular Audits: In addition to regularly reviewing the business continuity plan, it must also be audited on a similar basis to make sure that the individuals noted as having key responsibilities are still the most appropriate points of contact. Each step of the plan should be reviewed during the audit, and regular training provided to all employees with key responsibilities.
- Regular Testing: Manufacturers should also implement a simulation of the biggest emergency incidents they could face in order to test how ready they are; ideally at least once a year. This should include meeting specific deadlines for steps such as notifying all relevant stakeholders within one hour of a crisis situation unfolding. Following the test, it is also important to assess how things went and what could be improved.
Prevention is the best medicine
The demand for vigorous risk management programmes is growing across our customer base at Sanmina as this practice becomes a crucial part of their overall manufacturing strategy. The mindset and culture of a business and how it views risk, from the top down is essential for an effective program. Organisations should also nurture and promote a preventative mindset. While being able to react to and address issues in a crisis is crucial, equally as critical is a company mindset that considers what the possible impacts are before they happen.
About the author: Tim Guido works at Corporate Director, Performance Improvement, at Sanmina.