We have probably all been in situations where things have not gone as expected. Although no one wants carefully laid plans to go awry, having a Plan B ensures that you’ll be able to weather most unforeseen events. Being prepared for alternative action is especially crucial in a business context where the unexpected can happen at any time.
What is contingency planning?
A contingency plan is a clearly defined course of action that can help any organization deal with potential business risks, ensure business continuity, and then resume normal business operations as quickly as possible.
Why is it important to create contingency plans?
An unfavorable event is generally unlikely to take place. However, as a business owner, having a contingency plan for different scenarios can give you peace of mind that an emergency response is set in place if things do go wrong. With this kind of backup plan, disaster recovery will be a much smoother process, and normal operations can quickly resume.
For example, no one can accurately predict when natural disasters will strike or when global events like the Coronavirus pandemic are going to hit. In the case of the latter, nearly every business faced hardship, regardless of its size or industry, but companies that had contingency plans were able to get back on their feet sooner.
Other than providing guidance during external unexpected events, a contingency plan should also extend to possible internal events, such as data breaches, staffing shortages, software downtime, or declining business relationships.
A contingency plan doesn’t just have to cover a negative event. Ideally, you should also have an action plan in place for growth or improvement situations—for example, if there is a sudden surge in customer requests or you identify a special market opportunity.
What differentiates a contingency plan from other types of risk planning?
Business continuity plan
A business continuity plan is a temporary solution that ensures your business is able to continue functioning even after operations have been disrupted. For example, if you are suddenly unable to access your office space, a business continuity plan would be to invest in software that would allow your employees to work from home until new premises can be secured.
Alternatively, a contingency plan triggers a course of action in response to a specific incident. For example, a contingency plan for the loss of a huge client would be different from one dealing with an information systems crash.
Disaster recovery plan
While a contingency plan is a proactive strategy, a disaster recovery plan is a reactive one and should be part of any contingency policy to return your company operations back to normal. It can include recovery strategies, such as continued data access and IT infrastructure, so your company operates near the level it did before the disaster took place.
Disaster recovery and business continuity planning are both narrower in scope than a contingency plan. It deals mainly with operational matters in your organization so that you can recover from a disaster as quickly as possible.
Crisis management plan
Like disaster recovery, a crisis management plan is more focused on real-time response following a crisis, compared to the preventive planning needed for a contingency plan. A quick note on how to differentiate disasters from crises—a disaster comes about suddenly, whereas a crisis develops over time (be it quickly or slowly).
It is impossible to be prepared for every eventuality despite your best attempts to make the most thorough recovery strategies. The events that occur might not fit neatly into your contingency plan. In these situations, the only way out is to swiftly modify the contingency plan.
When companies need to think on their feet and adapt to unexpected scenarios, this is where crisis management—the overarching management of emergencies—comes into play.
Risk management plan
Risks are always present in the business world. A risk management plan is similar to a contingency plan because it is also proactive in nature. However, with risk management, you have an action plan to prevent potential crises from taking place, while also reducing the impact of these crises should they happen.
A contingency plan only kicks in either once a certain negative event becomes inevitable or there are enough warning signs to trigger a contingency response.
Pitfalls to avoid when creating your business contingency plan
Not budgeting for your business contingency plan
A contingency plan has to include a contingency fund, which sets aside a certain amount of resources (e.g., money, people, time) to cover unanticipated costs. It’s a good idea to decide this amount with your team or other stakeholders beforehand to prevent future disputes.
Resist the temptation to cut these funds even in times of a budget crunch. If something does go wrong, you will need to explain to management what happened to your contingency plan.
Not having enough support
Although contingency planning sounds like a good idea, not everyone will agree that it’s necessary. Before you start doing anything, find out how open-minded the stakeholders at your company are. If you cannot identify enough executives who think it’s important, don’t waste your time and effort to create one.
Not updating contingency plans
Contingency plans need to be updated regularly to account for new risks, changes in government policies, and shake-ups in organizational structure. In short, they need to remain current and evergreen. Schedule reminders a couple of times each year to review the existing plan and make changes if necessary.
Your contingency planning process in 10 steps
Step 1: Create a contingency planning policy statement
A contingency plan policy statement is a formal document that outlines the contingency objectives for your organization, such as getting back to normal operations by a certain time. A policy statement also expresses the authority and gives the guidance necessary for stakeholders to create a contingency plan.
Essentially, this should answer the questions “what is contingency planning?” “how should I go about doing this?” and “what can stakeholders expect from a contingency plan?”
Step 2: Carry out a business impact analysis
A business impact analysis (BIA) is used to determine the potential impact, both operational and financial, of a disruptive event in your organization. By doing so, you will be able to recognize the systems, components, and processes that are vital to your business functions, and therefore identify your recovery priorities in the event of an emergency.
Step 3: Conduct a full risk assessment
Every organization has its unique set of potential risks, which can be identified with a risk assessment. Having implemented a BIA, you will now know what your business-critical operations are. To get even more ideas, schedule a brainstorming session with your executive team and/or other stakeholders.
After this, you then need to identify the threats that could harm each of these operations—for example, a technical glitch or a change in business regulations. Once all this data has been collected, put it in a risk register—a risk chart that enables you to track your risks and any information you need to know about them.
Step 4: Classify the key risks to your business
Once you have all your potential risks, it’s time to evaluate how they might impact your organization. Ask yourself the following key questions:
- What is the likelihood that these risks will happen?
- How would these risks impact your business?
- What is the level of severity for each risk?
One way to rank risks is to use a qualitative risk assessment, which orders each risk according to its probability of taking place as well as its potential impact. Another common method is the quantitative risk assessment, which estimates how much each risk might cost your business and ranks the results from most to least costly.
Step 5: Draft contingency plans for prioritized risks
You’ll now start to create a contingency plan for the highest priority risks to your organization, namely those that are most likely to occur and cause the most damage. Outline the actual actions needed to confront a disaster and include preventive controls that can reduce the effects of disruptions.
An example of a modern, detrimental event for most companies would be an information systems breach. Preventive controls for this situation would be to invest in a good-quality antivirus software, make sure your software is regularly updated, create strong passwords, and have files backed up on-premises.
As for the actual plan, these contingency strategies and procedures are usually tailored to the system’s security impact level and recovery requirements.
Step 6: Get buy in from stakeholders
After creating a first draft of your contingency plan, it’s time to get stakeholder approval. Given that contingency plans usually involve employees and management across your company, it will be extremely difficult to implement them without adequate support. Getting approval well in advance also means that plans can be put into action right after an incident occurs.
Step 7: Distribute your contingency plans and make them easily accessible for your entire organization
Contingency plans are usually department-wide or company-wide. By putting them in a shared public folder with a clear document name, you are ensuring that everyone will have easy access to them in case of an emergency.
Step 8: Train your employees
Having laid all the groundwork, you can move on to the execution stage. It’s essential that the parties who have roles in your contingency plan know what their responsibilities are in each risk scenario. Once everyone has been appropriately trained, each of them will be prepared to act quickly in the event of an emergency.
Training should also be given to new employees so they know what contingency planning is, what it entails, and what they might have to prepare to do in the future.
Step 9: Put your contingency plans to the test
In the event of a real disaster, would your contingency plans be effective? There is only one way to find out—and that is through plan testing. Set aside time to run through the procedures for each contingency plan as if each emergency scenario were really taking place.
Not only will this validate the recovery capabilities of each plan, but it will also show if there are any deficiencies or gaps, which can then be improved upon.
Step 10: Continually review and revise your contingency plans
Smart managers know that it is not enough to just create a contingency plan. Plan maintenance is more difficult, and it takes more effort—but that’s what makes it all the more critical. Risk management is an ongoing process, and you need to keep your plan up-to-date when risks or business requirements change.
Ensure your business continuity first, thank us later
Comprehensive contingency planning will make sure that you are prepared to deal with all the risks that come with running a business. Be it natural disasters, workplace accidents, financial instability, malware—these are only the tip of the iceberg of things that can go wrong. But, with a tested contingency plan, you can effectively prepare for whatever may come your way.