Background: BillerudKorsnäs is a world-leading supplier of renewable packaging materials and solutions based on wood fibre. Business is highly dependent on around-the-clock stable production at its large-scale production facilities, together with well-functioning customer support systems. Recently, the company identified a need for improved IT continuity to support continued international business growth and effective risk mitigation within the changing IT landscape.
Challenge: Help BillerudKorsnäs become more resilient to IT and other disruptions. Educate and train stakeholders to use and implement standardised business continuity tools across the organisation.
Solution: A standardised BCM framework and an IT continuity process were developed and implemented as a pilot with key stakeholders – providing them with the tools and skillset to analyse threats and grow BCM and IT continuity capabilities organisation-wide.
Benefits: With a centralised BCM framework, the company is more resilient to disruptions while a safer environment for IT continuity is being established organisation-wide. With these processes in place, BillerudKorsnäs can continue to focus on business development during disruptions.
Customer: BillerudKorsnäs is a world-leading provider of primary fibre-based packaging materials. With 4,400 employees and production units in Sweden, Finland and the UK, the company serves customers in over 100 countries.
A standard framework for Business Continuity Management
With 20 years of experience in helping organisations to build their organisational resilience capabilities, 4C Strategies was commissioned by BillerudKorsnäs to develop a standardised approach to IT Continuity Management (ITCM) and Business Continuity Management (BCM). BCM was practiced throughout the organisation, using diverse models and processes, but IT dependencies were unclear.
“We have accomplished teams at our facilities and other parts of the organisation that have worked hard to build resilience,” says Sofia Hidén, BillerudKorsnäs’ Environment, Safety and Quality Director (previously Head of Group Risk Management). “As units, they are well prepared for diverse disruptions. However, we wanted to bring in expertise to help us put more focus on IT because so much of our business is dependent on it. We also wanted to ‘connect the dots’ between the different facilities and business units to get a holistic BCM understanding of all the interdependencies.”
“Our assignment was to develop a tailored ITCM methodology, a standardised BCM framework, update existing BCM processes, and train stakeholders on how to best use them,” says Håkan Jidmar, Principal Consultant at 4C Strategies. “By applying standardised continuity frameworks across the organisation, BillerudKorsnäs will be better prepared for any eventuality, both at a micro and macro level.”
“4C Strategies have provided us with the IT and Business Continuity Management tools and the know-how necessary to move forward and increase our resilience. Thanks to their expertise and support we can act quickly and with confidence to implement the plans and processes necessary to continue to operate and deliver products within acceptable timeframes during a disruption.”
Piloting business continuity
It was agreed that the quickest and most effective way to approach the assignment was through a pilot project at one of the company’s paper mills. Rather than looking at the entire facility, a key operation was selected that, if disrupted, would have considerable consequences to the business. A new paper machine, which runs 24/7 and measures the entire length of the facility was chosen.“We chose this paper machine because it’s a high-profile, high-investment asset that must be secured against disruptions,” explains Sofia. “Furthermore, IT permeates so much of production – from the supply of water and other raw materials to product quality control – so it provided the ideal pilot to ‘litmus test’ the new continuity methodology. There was also a lot of focus on the machine within the company and the team working with it were eager to get involved.”
Why business and IT continuity?
- For BillerudKorsnäs customers, it highlights that operations can withstand disruptions and that the company can continue to supply goods.
- For BillerudKorsnäs suppliers it can mean they must reassess their capabilities to ensure they can withstand disruptions and guarantee the supply of goods/services.
- For BillerudKorsnäs leadership, it means being able to take better business decisions knowing that the framework and plans are in place to handle disruptions.
IT Continuity methodology
Interviews, workshops, training and a table-top exercise were held with employees from production, IT and the core project team, which included the Risk Manager, Information Manager, IT Continuity Manager and Paper Mill Manager.
“It was an important step for the attendees to collaborate in the context of IT Continuity,” explains Håkan. “This helped them to see the bigger picture and how interdependent the central IT and Production IT roles are. Bringing people together in this way provides an ideal foundation for future cooperation in a crisis. ”
Typically, when developing an IT Continuity methodology, the following steps are covered:
- Assessment of gaps in IT Continuity
- IT dependency mapping
- Risk assessment of critical IT dependencies
- Review of existing IT contingency plans
- Development of methodology and disaster recovery plans based on gap analyses
- Training and education
- Table top scenario testing
- Lessons learned and review
Based on this, a new ITCM methodology was developed with defined processes from which vulnerabilities can be identified and continuity plans developed in order to build resilience. This methodology was then implemented throughout the company.
“An effective cyber continuity process not only highlights where the vulnerabilities are and which risks are most critical but also what you can do during an incident and who should be involved. We wanted to know things like which plugs could be pulled, which absolutely could not be, and which had to be in the case of for example, a malicious intrusion attempt. Doing this process together with 4C gave us this level of information in a very structured way.”
Standardising BCM
In addition to the IT Continuity methodology, a standardised BCM framework was also developed for BillerudKorsnäs based on 4C Strategies’ 6-point model. This is built on the ISO22301 standard but provides a more proactive approach to continuity and resilience with the inclusion of capability building through lessons learnt. It can be tailored to meet the needs of any facility or Business Unit, using different process-based templates. Implementing a structured BCM framework in this way can have an extensive impact on the BillerudKorsnäs eco-system, which brings with it wide-reaching benefits:
- At an organisational level, BCM processes are supported at different units under one BCM framework for improved resilience and a secure IT environment.
- At an operational level, the most severe risks can be mitigated based on importance, potential impact and likelihood of occurrence.
- At a regulatory level, it becomes easier to ensure and prove that facilities follow the framework and meet regulatory requirements.
- Within production, it supports the stepwise implementation of continuity improvements at multiple facilities.
What is Business Continuity Management?
Business Continuity Management (BCM) has moved up the agenda of organisations since the COVID-19 pandemic. What is Business Continuity Management and how do you make sure you get it right at your organisation?
Engaging senior management
An important part of the assignment included a table top exercise with the BillerudKorsnäs Senior Crisis Management team. Conducting Crisis Management exercises is an engaging way to show stakeholders the critical role that effective BCM and crisis planning plays for an organisation and its eco-system. This typifies how BillerudKorsnäs is investing in BCM for the future – something that will deliver considerable benefits to the organisation moving forwards.
“Business Continuity and Crisis Management have risen up the agendas of boardrooms in recent years as companies see the need to be better prepared for different eventualities,” continues Håkan. “The pandemic has further reinforced the need for resilience as everybody now understands that the unexpected can and will happen.”
“IT Continuity is an intrinsic part of Business Continuity Management. The pandemic has put new demands on IT security, so it’s even more important to assess your vulnerabilities and have a plan for assuring continuity if an intrusion occurs. It’s good business sense.”
Conclusion
“4C Strategies have provided us with the IT and Business Continuity Management tools and the knowhow necessary to move forward and increase our resilience. Thanks to their expertise and support we can act quickly and with confidence to implement the plans and processes necessary to continue to operate and deliver products within acceptable timeframes during a disruption.” says Sofia.
“We now know when and where to focus our efforts and who should be involved – meaning we can continue to focus on business development with the peace of mind that operations will be running. Companies that haven’t invested in BCM and IT continuity risk losing focus during a disruption because they move into firefighting mode,” she concludes.Discover how you can build your risk, business continuity and crisis management capability with our expert services. Book a free consultation with one of our consultants to discuss your requirements.