By Dianna Brodine, managing editor
The American Mold Builder
Fire. Flood. Tornado. Earthquake. All of these are events with the potential to shut down a production facility or, at the very least, cripple its production output. The words “disaster recovery” often bring to mind pictures of the cleanup required after a natural disaster, but the more likely catastrophe could involve the loss of a key employee or a cyber attack.
Most manufacturing facilities would face serious production and delivery concerns if their operations went offline for a day or two. A delay of a week – or more – could have companies dangling on the edge of a permanent shutdown. What plans have been made (if any) to deal with the disasters that can affect any mold building operation?
Facility concerns in disaster planning
Southern Michigan Rubber, Inc. (SMR), in Three Rivers, Michigan, experienced a fi re on June 5, 2013, that began in the company’s dust collection system. Over the course of several hours, SMR Director of Operations Marel Riley-Ryman watched firefighters struggle to contain the blaze and wondered if there would be a business to save once the flames were subdued. When all was said and done, SMR lost 70 percent of its building and had to start over from the ground up.
Though SMR outsourced its extrusion and curing processes from June through the following January, the company kept other departments operating by moving machines into its molding facility and the unaffected cutting area. “The employees cleaned machines, walls, floors and ceilings, and then painted,” Riley-Ryman said. “I was finding jobs for them to do so we could keep a paycheck going to them.”
Solution: Preparation
In retrospect, Riley-Ryman acknowledged that, though the company had attempted to prepare for a fire, there were some holes in the plan. In the years prior to SMR’s incident, company founders met with several volunteer fi re departments in the surrounding area to keep them up to date on the materials the shop was using. Additionally, fi re extinguishers in the building were checked annually, but they were not hanging on the walls in an organized fashion. A more thorough plan might have helped SMR mitigate the fire’s effects.
Whether fire, flood or other natural disaster, a business impact analysis (BIA) will help determine the probability of various business disruptions and the effect each would have. Acknowledging the risks and resulting impacts will assist companies in determining the amount of investment needed to achieve the desired level of protection.
Typical risk analysis is not difficult to conduct; it is usually a matter of common sense. Considering a company’s markets, its geographic location and its suppliers’ locations, a BIA can determine possible risks associated with those characteristics and help a company determine where to make investments for protection and recovery.
For example, a company doing business with a supplier from a country in the middle of political or social unrest runs the obvious consequence of having its supply chain impacted. Or, a business in an area frequently impacted by hurricanes will have different disaster recovery needs than one in an area where wildfires are common.
See the sidebar “Facility Disaster Recovery Checklist” for initial steps that can be taken to prepare for the impact of a natural disaster on any facility. An insurance company assessment may uncover additional risks that should be taken into consideration.
Personnel concerns in disaster planning
What happens if the one guy – the guy who has been with the business for 25 years – the only guy who can get the finicky machine on the far side of the shop to work, quits? Or has a medical emergency?
A business impact analysis looks at how losing a given employee will affect a company’s operations, finances and ability to complete contracts. No matter how or why the employee leaves, the loss of knowledge and resulting impact on the business could be catastrophic.
Solution: Cross-training and communication
Every company leader knows which employees are critical to smooth, efficient and profitable operations. However, the employees may not know the company values their contributions – or, at least, not to the extent of being designated as “critical.” Management should assess which employees are critical to the successful operation of the business and then open the lines of communication with those employees. What needs to happen to keep the employees satisfied and feeling valued?
However, not every potential personnel disaster can be overcome with communication. What if retirement is on the horizon, or a medical emergency occurs that keeps the employee from work for an extended period of time? Cross-training is the only answer.
Silos of knowledge exist in every organization, but this reality is dangerous in small to mid-sized facilities. Employees designated as critical need to have a backup – someone to pass knowledge to and train. The trainee probably will not have the exact capabilities of the key employee after a period of training, but at least all knowledge will not be lost in the event of an emergency.
Digital concerns in disaster planning
According to a November 2018 blog post written by Attila Security, the manufacturing industry is a prime target for cyber crime: “The damage often is in the form of a data breach, disruption of operations or compromise to key systems, such as the company’s enterprise resource planning (ERP) system.”
In 2017, according to the Data Breach Investigations Report from Verizon, 620 cyber crime incidents related specifically to manufacturing were reported. The majority of these incidents involved data hacking, with malware attacks following close behind, and nearly half of the attacks involved the loss of proprietary information.
Phishing attacks (fraudulent emails aimed at extracting financial information) also are common – and of significant concern to small to mid-sized manufacturing companies.
“In general, manufacturing companies are more focused on securing their operational technology environment than on cybersecurity,” continued the Attila Security post.
AMBA member Micro Mold, Erie, Pennsylvania, saw this firsthand when it and sister company Plastikos, Inc., were the target of an attempt. In May of 2017, an email was sent from Plastikos President Philip Katen to employee Sandy Walker with an urgent request for a wire transfer. The email asked if she was available and, when she replied in the affirmative, a second email arrived with wire transfer details. The emails were fake and, thanks to informal training and internal procedures, Plastikos avoided adding its name to the list of scammed businesses.
A few minor points tipped Walker off . First, the initial email contained very little information and was signed “Regards, Philip,” which is different than the language Katen wouldtypically use. Second, although Katen might request a wire transfer initially via email, Plastikos’ standard protocol calls for him to then call or visit her in person to discuss the process as a sort of verbal review and confirmation. “She was expecting those procedures to kick in,” he said, “and when they didn’t, it raised her suspicions further.”
Solution: Awareness
Many phishing attacks can be stymied by savvy employees who are on the lookout for irregularities when conducting financial transactions. However, cyber criminals continually change their methods, becoming more sophisticated in their attempts. Educating employees about the likelihood of a cyber attack and setting standard operating procedures to be followed whenever a financial transaction is requested can help thwart such attempts.
“When we reported this incident to the FBI, an agent encouraged us to keep people informed, educate them on the possibilities and come up with formal policies and procedures to bolster that defense,” said Katen. “Nothing can replace the human recognition/awareness component, however. And, that’s the first thing that kicked in here.”
Conclusion
Facility disruption doesn’t occur only during times of natural disaster, and smart manufacturing businesses will make preparations ahead of time to avoid confusion when response is critical. A detailed plan that assesses risks and spells out steps to take to get production back online can be effective when a facility is in danger of missing delivery deadlines. Open lines of communication and a cross-training program can alleviate some of the concerns related to the loss of a key employee, and a constant awareness of digital threats by all employees with access to financial information may reduce the potential for monetary loss.
Facility Disaster Recovery Checklist
- Select a team of employees from a variety of departments to assist in developing a disaster recovery plan. Choose a primary coordinator and ask that person to maintain and update the plan.
- Review insurance coverages and know what is covered – and what would not be covered – in the event of a disaster.
- Identify critical business processes and systems. Create lists of the equipment and resources needed to complete work within the manufacturing facility.
- Plan for hardware and software recovery by implementing a backup and storage strategy.
- Assess threats, which include fire, flood, tornado, electrical overload, active shooter and full computer system crashes, and map out how those incidences would affect production.
- Identify an alternative site for business operations should the primary site be unavailable. Is there another company in the region that could take on the facility’s workload, if necessary.
- Establish a communication plan for employees, both to check on employee well-being after a disaster and to communicate business needs going forward.
- Publish the disaster recovery plan and ensure all employees know what is in the document.
- Test the disaster recovery plan at least once per year.