Protecting critical assets with Business and IT Continuity at BillerudKorsnäs, a world-leading packaging producer

A standard framework for Business Continuity Management

With 20 years of experience in helping organisations to build their organisational resilience capabilities, 4C Strategies was commissioned by BillerudKorsnäs to develop a standardised approach to IT Continuity Management (ITCM) and Business Continuity Management (BCM). BCM was practiced throughout the organisation, using diverse models and processes, but IT dependencies were unclear.

“We have accomplished teams at our facilities and other parts of the organisation that have worked hard to build resilience,” says Sofia Hidén, BillerudKorsnäs’ Environment, Safety and Quality Director (previously Head of Group Risk Management). “As units, they are well prepared for diverse disruptions. However, we wanted to bring in expertise to help us put more focus on IT because so much of our business is dependent on it. We also wanted to ‘connect the dots’ between the different facilities and business units to get a holistic BCM understanding of all the interdependencies.”

“Our assignment was to develop a tailored ITCM methodology, a standardised BCM framework, update existing BCM processes, and train stakeholders on how to best use them,” says Håkan Jidmar, Principal Consultant at 4C Strategies. “By applying standardised continuity frameworks across the organisation, BillerudKorsnäs will be better prepared for any eventuality, both at a micro and macro level.”

Piloting business continuity

It was agreed that the quickest and most effective way to approach the assignment was through a pilot project at one of the company’s paper mills. Rather than looking at the entire facility, a key operation was selected that, if disrupted, would have considerable consequences to the business. A new paper machine, which runs 24/7 and measures the entire length of the facility was chosen.

IT Continuity methodology

Interviews, workshops, training and a table-top exercise were held with employees from production, IT and the core project team, which included the Risk Manager, Information Manager, IT Continuity Manager and Paper Mill Manager.

“It was an important step for the attendees to collaborate in the context of IT Continuity,” explains Håkan. “This helped them to see the bigger picture and how interdependent the central IT and Production IT roles are. Bringing people together in this way provides an ideal foundation for future cooperation in a crisis. ”

Typically, when developing an IT Continuity methodology, the following steps are covered:

• Assessment of gaps in IT Continuity
• IT dependency mapping
• Risk assessment of critical IT dependencies
• Review of existing IT contingency plans
• Development of methodology and disaster recovery plans based on gap analyses
• Training and education
• Table top scenario testing
• Lessons learned and review

Based on this, a new ITCM methodology was developed with defined processes from which vulnerabilities can be identified and continuity plans developed in order to build resilience. This methodology was then implemented throughout the company.

Standardising BCM

In addition to the IT Continuity methodology, a standardised BCM framework was also developed for BillerudKorsnäs based on 4C Strategies’ 6-point model. This is built on the ISO22301 standard but provides a more proactive approach to continuity and resilience with the inclusion of capability building through lessons learnt. It can be tailored to meet the needs of any facility or Business Unit, using different process-based templates. Implementing a structured BCM framework in this way can have an extensive impact on the BillerudKorsnäs eco-system, which brings with it wide-reaching benefits:

• At an organisational level, BCM processes are supported at different units under one BCM framework for improved resilience and a secure IT environment.
• At an operational level, the most severe risks can be mitigated based on importance, potential impact and likelihood of occurrence.
• At a regulatory level, it becomes easier to ensure and prove that facilities follow the framework and meet regulatory requirements.
• Within production, it supports the stepwise implementation of continuity improvements at multiple facilities.

Engaging senior management

An important part of the assignment included a table top exercise with the BillerudKorsnäs Senior Crisis Management team. Conducting Crisis Management exercises is an engaging way to show stakeholders the critical role that effective BCM and crisis planning plays for an organisation and its eco-system. This typifies how BillerudKorsnäs is investing in BCM for the future – something that will deliver considerable benefits to the organisation moving forwards.

“Business Continuity and Crisis Management have risen up the agendas of boardrooms in recent years as companies see the need to be better prepared for different eventualities,” continues Håkan. “The pandemic has further reinforced the need for resilience as everybody now understands that the unexpected can and will happen.”

Conclusion

“4C Strategies have provided us with the IT and Business Continuity Management tools and the knowhow necessary to move forward and increase our resilience. Thanks to their expertise and support we can act quickly and with confidence to implement the plans and processes necessary to continue to operate and deliver products within acceptable timeframes during a disruption.” says Sofia.

“We now know when and where to focus our efforts and who should be involved – meaning we can continue to focus on business development with the peace of mind that operations will be running. Companies that haven’t invested in BCM and IT continuity risk losing focus during a disruption because they move into firefighting mode,” she concludes.