Creating a business continuity program is challenging in any industry. But it can prove especially difficult in the maritime industry, where teams must manage complex digital as well as physical systems to keep operations running (as much as possible) in the event of an unexpected disruption.
Keep reading for an overview of what it takes to develop an effective business continuity plan and program for maritime companies. In this blog, you’ll learn what to consider when creating a business continuity program within the maritime industry, as well as which resources you’ll need to have in place to ensure business continuity following a cyberattack or other disruption .
Subject matter experts
Subject matter experts are important to business continuity because they provide the expertise necessary for interpreting the BCP operational documents and executing on the plans spelled out in them. They can also work intelligently through any gaps or unexpected issues that arise during an incident, but that your operational documents don’t address.
This is an important point to emphasize because it can be easy to conflate business continuity plans with a complete business continuity program. In reality, as riskonnect notes, “plans are just one key ingredient in the development of an effective business continuity program.” Operational documents that spell out a business continuity plan are not very useful if you lack the personnel necessary to implement the planned business continuity operations.
How to prepare a business continuity program: Six essential steps
Now that we know the basics of business continuity programs, let’s look at what it takes to build a BCP for the maritime industry specifically.
Step 1: Assess your BCP needs
Start by reviewing your company’s business layout, requirements, critical business processes and risks in order to understand what your BCP must address.
This is crucial because, again, maritime businesses tend to rely on particularly complex systems and processes. They use traditional software applications to track critical business data, for example, while also relying on operational technology systems to monitor the location of vessels and manage physical equipment, and each type of system may play a unique role in the business’s operations.
As a result, BCPs for maritime companies must take into account all systems, as well as the integrations between those systems and interfaces with external stakeholders. It’s critical to review your business systematically and comprehensively so you don’t overlook any systems or processes that are essential to operations.
This can differ depending on the business:
- For shipping companies, critical systems and processes are the commercial and operational systems that manage cargo booking, track and trace capabilities, EDIs for interfacing with all stakeholders (partners, vendors, government agencies), vessel planning, schedule management, fleet management, and so on.
- For port terminals, this is the TOS (terminal operation system), GOS (gate system), EDI (which enables the terminal to communicate with ocean carriers, customs, rail operators), cameras and security systems, etc.
- For logistics companies this is the FMS (freight management systems) and respective processes, TMS (transportation management systems), WMS (warehouse management systems), and so on.
What else should you know about cyber resilience planning?
Step 2: Assess risk, severity and required service level & scope
After assessing your overall business requirements, carefully evaluate the role that each system and process plays in business operations. Your BCP should identify which systems and processes are mission-critical, and which ones can remain suspended without bringing business operations to a halt. For the mission critical processes, you should decide which service level is required and at what scope.
For example, for a shipping company, cargo booking is a critical process, while HR training can be suspended until recovery. In terms of cargo booking, the company should decide which level must be maintained even during system loss (anywhere from 10% to 80% depending on the company). They must also determine which types of cargo are essential (VIP business or contracts) and which must not be processed (for example it is preferable not to book refrigerated or dangerous cargo during systems loss).
For port terminals, the TOS is probably the most critical system, while trucking reservation, as important as it may be, can probably be suspended until recovery. The terminal management should make a decision on what percentage of the port’s operations it wants to maintain during a system shutdown, with 0% being a legitimate (while not always commercially viable) figure.
In addition there needs to be a professional discussion around the scope of these operations. For example, vessel discharge is more critical to ocean carriers than vessel loading, since it can free the vessels to continue on their voyage, rather than getting stuck with the terminal’s import cargo. Export and empties, on the other hand, as important as they are, can be rolled over to the next vessels. Since it is also more achievable operationally to perform vessel discharge with no TOS vs. locating and assembling the export and empties for vessel loading, this is a good contingency plan for a terminal’s marine operations.
It’s usually impossible to restore all systems immediately following an attack (in fact the average system downtime is 21 days), so your BCP plan needs to take into account the varying levels of importance and risk associated with the various resources your business relies on, then prioritize the ones that are most critical. The overall goal should be to restore business operations to an acceptable level as quickly as possible, even if that doesn’t mean restoring all systems right away.
Step 3: Predict business impact
In addition to assessing the importance of each system, a BCP should identify what will happen to the business if a given system goes down. By including this information in your BCP, you ensure that you know the impact of a failure as soon as it happens, rather than having to calculate it in the midst of responding to an attack.
The impact of each system will differ from one company to another, and it depends in part on the extent to which contingencies can be implemented. For example, if a software application that you use to book cargo goes down, will you be totally unable to make new bookings? Or will you be able to manage bookings manually until the application is restored (which will probably be done much slower and result in limited booking ability)? The answer will depend on factors like how much cargo you need to book, how quickly you need to book it and whether you have staff available who can manage bookings manually.
Step 4: Develop contingencies
The next step in the business continuity training and planning process is to identify specific contingency plans that your business should implement in order to protect critical processes.
For instance, if you know that it’s feasible to book cargo manually following the failure of a software application, your BCP should define exactly how the manual cargo booking will take place. Are you going to use pen and paper? Personal email accounts? Messaging applications? Excel files? Or maybe invest in dedicated contingency systems/measures?
And not less important – which is the minimal critical data required for each contingency? And how are you planning to make it available for the contingency in case of a system shutdown?
The specifics of your contingency planning should reflect what your business priorities are and which processes are most important to protect. In most cases, contingency operations can provide only a fraction of the functionality of normal operations, so you must identify which functions are most important to protect, then develop contingency plans based on those considerations.
Learn more about business continuity in the maritime industry
Step 5: Designate personnel for contingency plans
As we noted above, plans aren’t very useful if you don’t have people to execute them. For that reason, it’s important for your BCP to identify which personnel will execute contingency plans.
For example, if one of your contingency plans is to manage cargo bookings manually but your bookings staff is too small to handle that task on its own during an emergency, you may decide to designate personnel from other departments to assist with bookings in the event of an incident.
And if your terminal gate needs to be operated manually, you will probably also need to expand the security and checkers team rapidly. You’ll also need to determine which business continuity training and tools those personnel will require to fill the role.
Step 6: Write – and test – playbooks
The final step in business continuity planning is to translate your plans into playbooks that spell out exactly what needs to happen following an incident.
Then, test those playbooks periodically to ensure that you can act on them in the way you need. Ideally, you’ll practice the playbooks at least once a year to ensure they don’t become obsolete. Testing is absolutely essential because there may be issues that you didn’t anticipate, and you don’t want to wait until a real-world incident to learn that your playbooks contain gaps or missing procedures.
Conclusion
Business continuity planning in the maritime industry requires careful evaluation of a wide variety of systems, processes and business requirements. There are many moving parts – like vessels, terminals and the operational systems that they depend on – to consider, and widely varying levels of risk to address. There are also many different stakeholders to consider and factor into contingency plans.
At Cyberstar, we have years of experience in assessing, analyzing and practicing business continuity programs for maritime and logistics businesses. We know what it takes to develop a BCP that protects operations, and we’re familiar with the common pitfalls that prevent effective business continuity planning for maritime companies.
Contact us to learn more about how we can help develop an effective business continuity program for your company:
