The digital transformation of manufacturing, supported by underlying technologies like Machine Learning, IoT, Data Lakes, Additive Manufacturing and Blockchain; and the business models they enable, can keep a manufacturer up at night. After all, how to respond to disruption and turn it, if possible, into competitive advantage, is a question of how to successfully compete in the future. Nobody wants to wake up one day only to find their business has been “Ubered”.
At the same time, while planning for that future, manufacturers need to continue to successfully compete today. Do you want to add another machine on the shop floor or upgrade your existing business systems? In a competitive world with limited resources, backend systems typically lose out. That, though, could prove catastrophic.
Whether you are the disruptor or the disrupted, before you can execute your grand strategy, or even count on your business to deliver the revenue required for the investments you will make, you need to ensure your business can still operate. IT has become an increasingly critical component of many companies’ operations. False assumptions and hidden risks surrounding IT systems and governance can prove deadly.
Manufacturing operations and IT staffs are continuously asked to do more with less. This often forces decisions to be made based on recognizable, immediate needs and an “if it ain’t broke, don’t fix it” mindset takes hold in order to keep things moving.
Seemingly non-critical hardware and software upgrades often get postponed. “Good” is good enough, for now. After all, downtime, while not perfect, has come to be viewed as acceptable. No significant security breaches have occurred. The systems are running, the lights stay on.
But we all know that past results do not guarantee future performance.
The average age of an on-premise Enterprise Resource Planning (ERP) system, for instance, is approaching 20 years old. Over those 20 years, business requirements have changed substantially. Companies utilize integration, customizations and bolt-ons to keep up. Businesses have grown. At 5% growth, revenue is more than 2.5 times larger than when the manufacturer’s ERP was implemented. As a result, typical systems are more complex, brittle and stressed.
Risks exist that may not have yet manifested themselves. Think of insurance as an example, we don’t cancel our policy because we didn’t have an accident or get sick in the last year. We don’t assume we will not have a health issue or accident in the next year based on the fact that we didn’t have one in the last.
Unknown risks are growing, as are the consequences of these risks. It is not a question of “if” but “when” these risks and consequences will be realized.
In thinking back to the tradeoff between investment in the shop floor and on backend systems, it’s really not about productivity improvements that can be achieved on the shop floor, it’s about your ability to do business at all. When mission-critical systems go down, revenue is lost. Manufacturers may face significant penalties from those they supply to and risk the loss of future business due to poor customer service. Lean and complex supply chains only amplify the impact of disruption.
Gartner has estimated that the average cost of IT downtime is $5,600 per minute. The impact varies greatly by industry, but across industries, 98% of organizations say a single hour of downtime costs over $100,000. 27% reported that one hour of downtime costs their firms $1-5 million.
Similarly, not being hacked is not necessarily proof that you have good security. In fact, you may have already been hacked and just don’t know it yet. It takes an average of 206 days for a company to know it has been hacked.
In competitive and changing markets, failing to meet demand can end a company.
According to a 2018 global survey conducted by ITIC, 59% of respondents identified human error as the leading issue affecting server reliability and downtime. Governance is critical. So you have to ask yourself, “Are your IT professionals certified to administer the systems they work on?”
Running on old hardware and unsupported software is a symptom of resource constraints and can lead to greatly increased levels of risk for the organization. Older legacy ERPs are targets for hacking because they were traditionally internal applications only and later acquired "bolt-on components." Thus they are at higher risk for cybersecurity and bugs. Most attacks against ERP systems are based on known vulnerabilities, not zero-day exploits.
Have you addressed Spectre and Meltdown security vulnerabilities on your ERP system? Running on old hardware and unsupported software may also indicate a failure to understand the nature of the risk. This may extend to other areas such as disaster recovery. What is your DR plan? When did you last test it?
In one instance, we reviewed the disaster recovery processes of one of our On-Premise customers. On a nightly basis, they backed up their systems to tape and moved the tapes off-site. Unfortunately, the backup failed and for two years, they were copying the same image to tape every night. Not only was this a waste of time and resources, but the manufacturer believed it was protected when, in fact, it had no viable backup to rely on.
Sometimes your own metrics can mislead you if you are not rigorous in their application; for example, scheduled downtime. Is your scheduled downtime just unplanned downtime masquerading as scheduled downtime? What was your lead time for planned downtime?
While some people believe that because of their limited resources, “good is good enough.” The truth is your shareholders will not accept a security breach or substantial downtime. There is NO agreement that either is okay simply because of resource constraints. Shareholders believe the company is investing enough to prevent these outcomes.
Before the company can invest in growth, you need to ensure you have a solid foundation upon which to build. Taking the time to review your current systems and governance is a critical first step in understanding your risk. Only then can mitigations be put in place to reduce the potential risks and impacts.
In a competitive and disruptive world, to go fast, sometimes you need to go slow. Manufacturers, especially those tasked with doing more with fewer resources, must view assessing and addressing potential IT system vulnerabilities as a business imperative.