Risky business: an introduction to risk and resilience

Given all the uncertainty and difficulties facing manufacturers in today’s environment, there has been perhaps no greater time to make sure you’re resilient to all forms of risk – whether that’s political, environmental and economic risks at the macro scale, or more tangible risks within your own business. Below is an introduction to some of the key examples every manufacturer needs to consider.

Fire

Controlling fire risk is a crucial part of managing a non-domestic property, especially for manufacturers. It’s a legal requirement for all non-domestic properties to have a Fire Risk Assessment (FRA) in place. There are guides and resources you can download for free, but it’s important that the ‘responsible person’ has had sufficient training.

The potential punishment for failing to meet your duties is a prison sentence of up to two years, as well as an unlimited fine. If you have doubts about your ability to carry out an FRA, you should engage the services of a professional fire risk assessor.

Theft

Theft risk includes the burglary of physical items that belong to a company or its employees, the transfer of intellectual knowledge by internal or external actors and, increasingly, the theft of IT and data. The latter is covered by the section on cybersecurity below.

You can mitigate against the risk of theft by establishing best practices in accounting, bringing fraud deterrence to light, establishing the right ‘tone at the top’, thoroughly screening prospective employees and maintaining a working alarm system. You should also ensure you hold appropriate insurance coverage and fully understand how it can be voided – it can be as simple as forgetting to set your alarm system properly or leaving keys in vehicles.

Cybersecurity

Cybercrime has become a huge security risk for manufacturers as we move towards digitalisation and the Internet of Things.

Small businesses now have around a one in two chance of experiencing a cybersecurity breach that could cost thousands to resolve. According to one statistic, a small business in the UK is successfully hacked every 19 seconds. This usually comes in the form of an ‘untargeted attack’ such as phishing emails that ask for sensitive information or encourage recipients to visit a fake or compromised website (known as ‘water holing’). Ransomware can also be used to disseminate disk-encrypting extortion malware into your IT system.

The most dangerous attacks often come in a targeted form, where a criminal has a specific interest in your business. This can include ‘spear phishing’, where specific people within the organisation are targeted, or attacks from within your own walls by a dishonest employee acting for personal gain (see the section on employee sabotage below).

All it takes is one click from an unsuspecting member of staff and you have a crisis on your hands. Even the largest organisations are susceptible. Anyone who has legitimate access to your system as an employee or contractor should be considered as part of a holistic security regime. The National Cyber Security Centre provides useful guidance and support, including Cyber Essentials – a government-backed certification scheme to help you protect your business.

You also need to think about backing up data – where is your data stored and is it safe? If you use the cloud, is it secure and encrypted? Are you complying with GDPR regulations on personal data? Within Greater Manchester, our local universities have joined forces to create the Greater Manchester Cyber Foundry, which provides a free support programme to help you understand these questions and more. 

Health & Safety

Under the Management of Health and Safety at Work Regulations 1999, as a minimum all companies must:

• Identify what could cause injury or illness in your business (hazards)
• Decide how likely it is that someone could be harmed and how seriously (the risk)
• Take action to eliminate the hazard or, if this isn’t possible, control the risk.

Put yourself in the worst-case scenario – how you would feel if, as a result of negligent behaviour or poor practices, somebody was seriously injured or died on your watch. I’ve worked with companies where this has happened, and they never truly recover from the trauma. The Health and Safety Executive (HSE) provides a comprehensive Health and Safety Toolbox which covers all the bases to help you prevent accidents from occurring. In the current era of COVID-19, you should also take particular care to protect lone workers.

Succession planning

Companies without succession plans in place are constantly at risk of a serious disruption to their business. It’s easy to fall into the trap of assuming you will have time to decide who is going to take a particular role in the future, but what do you do if a key employee is suddenly unable to work, or decides to leave at short notice?

You should never be in a position where there is only one person on your team with a specific skill or ability to operate a certain piece of machinery. Always ensure there are at least three people trained for every task. This requires constant monitoring and planning to nurture talent so that you can continuously fill vacant leadership and business-critical positions in the future. As the old adage goes: if you fail to plan, you are planning to fail.

Supply chain resilience

Over the past few decades, supply chains have transformed into complex, globalised operations that often stretch across many countries. While the globalisation of supply can help to spread risk if managed correctly, it can also expose businesses to all kinds of regional disruptions.

The first wave of COVID-19 in early 2020 is a case in point. Another infamous example is the 2011 floods in Thailand, which cut off the supply of key components to several major car and electronics manufacturers who relied too heavily on suppliers in the affected region. 

Supply chain resiliency is the ability to ensure continuous and consistent product supply and meet your obligations to customers, in the face of both short-term operational and longer-term strategic disruptions. A good place to start is to map out your supply chain and identify potential chokepoints. Having all your eggs in one basket is never a good idea – you should always have alternative suppliers available if your first preference fails (and the same principle applies for customers!).

Understanding the multidimensional nature of risk and creating a resilient supply chain is a worthwhile endeavour, particularly in a world where disruptions are likely to occur more frequently and with greater severity. Our Manufacturing Team is perfectly placed to provide advice and guidance if you require support.

Exchange rate risk

If you have customers or suppliers overseas, managing exchange rate risk is critical. Fluctuations in currency can affect the landed cost of goods in both directions in the supply chain, but the risk can be mitigated in a number of ways. You can learn more about financial strategies when dealing with foreign currency in the blog below from my colleague, Phil Anders.

Quality risk

Poor quality products will result in reputational damage and a loss of sales. Following a Quality Management System (QMS) such as ISO 9001 is a good way to mitigate against this risk, and if you want to access high-end supply chains these standards are usually a pre-requisite. Product quality testing and inspection should also be a key part of your manufacturing process.

Failure to innovate

Standing still is never a good idea in business. At some point, you will always need to introduce a new process or product into your portfolio to remain competitive. Putting it off won’t help you. I like using the example of Kodak, who for years were the go-to brand for film photography equipment. But once digital photography came along, they fell by the wayside and are now a fraction of the company they once were.

Ironically it was a Kodak engineer who actually invented the first digital camera back in 1975. But the company couldn’t bring itself to put it on the market for fear of the effect it would have on film photography. Eventually change came anyway, and Kodak missed out. I still have an old SLR film camera in the cupboard at home, but I’ve not used it for years.

Equipment failure

The failure of any item of equipment in the production process can have huge consequences for a manufacturer. There’s the cost of lost production and the repair or replacement of the equipment, but also knock-on impacts in terms of wasted labour or raw materials backing up that end up going to waste. It can result in loss of faith with the customer and reputational damage; even the risk of litigation if a contract goes unfulfilled.

The risk of equipment failure can be mitigated through proper operator training, the use of standard operating procedures that match the OEM’s operational manuals, planned maintenance, and machine monitoring through shop floor data collection.

When identifying the underlying cause of a failure, always use the Five Whys method to get to the true cause of the problem. For more techniques to help mitigate equipment failure, read our factsheets on Total Productive Maintenance (TPM) and Overall Equipment Effectiveness (OEE).

Weather-related events

This is a risk that people often forget about. In the event of extreme weather such as storms or floods, can you keep operating? Can you still process and dispatch in all weather conditions? Can staff or suppliers reach and use the carpark if it snows? What happens if your roof leaks? What sort of damage could realistically occur? These are all questions worth considering as part of Business Continuity and Disaster Recovery Planning.

Politics

Politics has been a major concern for almost every business during the EU Exit saga. But it should be an ongoing consideration for any company that may be exposed to local government measures or volatile situations in different countries. The Department for International Trade now provides ‘barriers to trade’ service online to help businesses identify any problems they may face when trading in different overseas locations.

Politics can also be local. Consider how your clients’ businesses are controlled. If the current owner retires, is there a risk the customer will buy elsewhere?

Employee sabotage

Employee saboteurs are perhaps more common than most employers would like to think. In 2018, Elon Musk accused an employee of making coding changes to Tesla’s operating system and sending sensitive data to third parties. The staff member was allegedly angry at missing out on a promotion.

This sort of story isn’t unheard of. At the lowest end of the spectrum, disgruntled employees may badmouth a business on social media or otherwise bring it into disrepute. To mitigate this risk, keep a close eye on your brand profile and take swift action to remove anything which can be proven to be false or defamatory online. But beware: sweeping things under the carpet can backfire. In many cases honesty is the best policy, and a public acknowledgement of any wrongdoing will go a long way to alleviating a bad situation.

It’s also not unheard of for ex-employees to take confidential information or client connections with them into new jobs, which is why robust contractual terms and confidentiality agreements are vital.

HR has a very important role to play in ensuring promotions or dismissals are handled carefully; spotting signs of trouble and tackling grievances early; conducting exit interviews to ensure outgoing staff leave on a positive note; and of course, recruiting the right people for the job in the first place.

Next steps

The above examples are far from an exhaustive list of the kinds of risks that manufacturers need to consider. Once you have identified the top-level risks relating to your business, the next step is to build resilience through Business Continuity Planning (BCP), which is a topic we’ll cover in more detail in a separate blog.

For support on BCP and how to identify or mitigate any of the risks identified above, get in touch with our Manufacturing Team for one-to-one guidance from an expert advisor.