<p><b>Business Continuity Planning </b> </p><p>Broadly speaking, business continuity planning (BCP) means developing plans to be resilient--that is, to be prepared to respond to and restore operations after an unexpected, major disruption occurs. Focusing on BCP also improves security by virtue of exposing the potential weaknesses in the system, and then focusing efforts to address those weaknesses. Implicitly, business continuity planning also helps companies make better decisions with regard to how much resilience and security is desired, how to achieve the target levels and through what measures, how to develop backup plans, and so forth. </p><p>At the more progressive companies, BCP entails establishing multiple layers of security and resilience. Typical layered actions include early and ongoing assessment of supplier security and resilience through on-site visits and quarterly "capacity reports" (in-person assessments of the real-time capacity available at the time of inquiry); development and maintenance of alternative supply and production capacity; mirrored information systems with alternative communication system backup; and specific plans for an emergency response to disruption. The layered nature of the business continuity plans means that each response does not need to be perfectly implemented because the layers of security and resilience actions back each other up. Hence a layered system could remain secure and resilient even though one of the layers may have been defeated.10 </p><p>Some advanced companies have established emergency operating centers (EOCs) to facilitate their response plan. Set up in a protected working environment within the organization, these centers provide a venue where a predetermined set of leaders convene to make decisions about the business. Each EOC has all the communication devices necessary to reach key decision makers and business operators, thus providing a defined working environment, hierarchy, decision-making process, and operating procedures for responding to disruptions. Localized disruptions activate the local EOC. When the disruptions span beyond the scope of one facility's operations, a global EOC is activated. </p><p><b>Responding through Organizational Capabilities</b> </p><p>One of the more powerful capacities observed from our study was the ability of certain companies to improve security and resilience through their organizational capabilities. Specifically, these leaders have been successful in "socializing" security and resilience--that is, making these qualities part of the organization's culture and accepted set of beliefs. This is accomplished largely through enterprise-wide training on security and resilience and incorporating these characteristics into the course of daily operations and decision making. </p><p>A recent conference held at MIT underscored the importance of socializing security in the organization.11 Specifically, several attendees reported improving security and supply network performance by bringing together the organization's security and supply chain functions. One company accomplished this informally via a project team comprised of security and logistics leaders. The team was charged with executing a "sting" operation intended to catch an organized theft ring that had been hijacking freight en route. This multifunctional team succeeded where independent logistics and security efforts in the past had not. Another participating company put a formal, long-term structure behind the security-logistics connection by re-assigning five security team members to the global logistics team. </p><p>Security and resilience also can be enhanced by the organization's leadership. Almost all of our respondents, in fact, had elevated the top security position to chief security officer, director of security, or a similar title. Increasingly, these top managers are being tasked with responsibilities that incorporate aspects of both security and supply network operations. </p><p>Similarly, the skill sets of leading companies have expanded, largely through the hiring of outside experts with backgrounds in federal law enforcement agencies or in the U.S. military. In addition, some U.S.-based global companies have enlisted security experts from non-U.S. law enforcement agencies such as the Israeli Mossad, Irish Garda, British Intelligence, and the Hong Kong Police. In this way, organizations are integrating security expertise into their supply networks (although a lot more integration still needs to take place). </p><p>Perhaps the most frequently noted organizational actions involve education and training. Leading companies educate their people (and their suppliers and customers) about security, resilience, and supply network risks. In doing so, they raise awareness and reinforce the importance of secure and resilient systems. </p><p>They also train their organizations on how to execute the emergency response plans through in-house training, typically including emergency response or supply network "fire drills." These simulations and exercises explicitly test the emergency response plan as well as the organization's capability to execute the plan. Drills and tabletop simulations involve mock exercises for different kinds of disruption. These exercises assess the disruption's impact not only on individual facilities but also on the entire supply chain. This is done by company employees actually checking supply material availability at key suppliers, transportation providers, or other "disrupted" parts of the supply network. The most progressive companies periodically surprise local facilities and announce a "supply network disruption drill." This action activates the EOC for mock operations, which includes interaction with local authorities, customers, and suppliers. </p><p><b>Making the Business Case </b> </p><p>Before any proposed initiatives to improve security and resilience can move forward, the business case for such investments needs to be made. And that case is made most forcefully when the impacts are quantified. </p><p>The difficulty, however, comes in trying to quantify the impact of a supply network disruption not happening . As one respondent to our survey said, the real benefit in such cases comes from avoiding losses. "Nobody gets credit for solving problems that did not happen," this individual noted. This reality challenges the business to value savings from avoidance--a challenge that other cost-avoidance efforts, such as lean production, total quality management, and customer service improvements, already have addressed in some measure.12 </p><p>A select few companies, however, have been able to quantify the impact of potential disruptions. For example, one company we surveyed estimated a $50 million to $100 million cost impact for each day of disruption in its supply network. Several others measured disruption in terms of time-to-customer impact--that is, the number of hours before a disruption ultimately affects a customer. One respondent resorted to building a separate, redundant production facility when it determined that a specific disruption would cause a cash-flow problem that would make the company insolvent in 30 days. </p>