Contingency Planning
Developing a Good "Plan B"
Fires, floods, tornadoes, pandemics – these are the types of events that we often associate with contingency planning.
But what if your main supplier suddenly goes bankrupt, your entire sales force comes down with food poisoning, or your website is held to ransom by hackers?
Contingency planning isn't just about major crises and natural disasters. It can also prepare you for more commonplace problems, such as the loss of data, staff, customers, or business relationships. That's why it's important to make contingency planning a routine part of the way you work.
In this article, we explore how to create and maintain robust contingency plans, so that you've always got a backup option when things go wrong.
Conducting a Risk Assessment
Every organization faces a unique set of risks that it needs to plan for. The key to identifying yours is to conduct a thorough risk assessment.
The first step is to identify your business-critical operations. These are the key processes and functions without which your organization could not operate – for example, your supply chain, your internet connection, or your ability to comply with legal standards.
Next, identify the threats that could harm each critical operation. These could include the loss of key staff, technical failure, or a change in government policy, for example. (Our article, Risk Analysis and Risk Management, covers this process in more detail.)
Chances are, you'll end up with a long list of potential threats. It may be unrealistic to attempt contingency planning for all of them, so you need to prioritize.
Risk Impact/Probability Charts are a good way to do this. These charts help you to analyze the impact of each risk, and to estimate how likely it is to happen. This reveals which risks require the expense and effort of risk mitigation. Business processes that are essential to your organization's survival, such as maintaining cash flow and market share, are typically at the top of the list.
Tip:
Contingency planning is one response to risk. But in some cases it may be safer or more cost effective to tackle it in other ways: to avoid the risk, by investing in new equipment, for example; or to share the risk, by purchasing an insurance policy. Or you may choose not to formally plan for some lower-priority risks at all, but to manage them if they do happen.
What Does a Contingency Plan Cover?
A good contingency plan can prevent your business from "going under" when unexpected events occur, so it's vital to ensure that it's fit for purpose.
Here are the key elements to include:
Scenarios
Refer to your risk assessment and impact/probability charts and choose the most damaging or most likely scenarios that you want to plan for. Then, map out what should happen in each case (see examples 1 and 2, below).
Aim to include a broad range of scenarios – for instance, cyber attacks, prolonged staff absences, IT malfunctions, loss of suppliers, serious power outages, or structural problems with your business premises.
Triggers
Specify what, exactly, will cause you to put your contingency plan into action. If you have a plan for heavy snow, will it be triggered by a severe weather warning, or only by actual snowfall?
One event could also have multiple triggers, each of which initiates a different part of your plan (see example 2, below).
Response
Include a brief overview of the strategy that you will follow in response to the event. This provides a context for the actions that you ask your people to take.
Who to Inform
Identify the people who need to know about what's happened. This could include employees, suppliers, customers, and the wider public, as appropriate. Our article, Communicating in a Crisis, explores how to plan and deliver effective communication in difficult situations.
Also, make sure that you're aware of your legal obligations, and that incidents are reported to the relevant authorities where necessary.
Key Responsibilities
Define who's responsible for each element of the plan, who will be in charge at each stage, and what you expect them to accomplish. The Responsibility Assignment Matrix and the RACI Model are useful tools here.
Timeline
State what needs to be done within the first hour, day and week of the plan being implemented.
This could be as simple as, "Inform employees of the situation immediately." But you may need far more detailed timelines for certain situations, such as data breaches, serious workplace injuries, or leaks of hazardous materials.
Also include details of when you would expect normal business to resume, and what will signal that your organization is ready for this.
Contingency Plan Examples
Click on the links below to see two scenarios and contingency plans for an online retailer with an office of 20 employees and a warehouse full of stock.
Example 1 – A Minor Business Disruption
Example 2 – A Significant Business Disruption
Note:
These examples show just one possible way to present your contingency plan. You may prefer to use another format, such as a flow chart or slideshow. Choose a style that suits your needs, and one that captures all of the necessary information.
Developing Your Contingency Plan
When you develop your contingency plan, remember that your primary aim is to maintain or restore critical business operations, so look closely at how these might be affected by each scenario.
Be aware of knock-on effects. Will your organization be able to function at full capacity when you implement your "Plan B," or will productivity drop? If so, for how long?
Involve Your People
To answer questions like these, it's useful to consult people from across your organization.
Managers from different departments can advise you on the impact of disruptive events on services, staff, resources, and business functions. And "frontline" employees are often best placed to tell you about the minimum tools and support they require to maintain essential operations.
Take the time to share your plan across your organization, so that people can offer feedback and ask questions. Use this process to make your plan even more robust.
And, if possible, conduct drills to assess the efficacy of your plan. This can highlight areas for improvement, and reveal skills gaps or training needs.
Get Buy-In
People are often poorly motivated to develop a strong "Plan B." They may already be invested in "Plan A," or they may perceive the risks to be low and see no need for a contingency plan. As such, getting people to contribute to your plan can be a challenge.
To offset this resistance, stress the importance of the task and the potential consequences of not having a plan in place. Lead by example, by completing any contingency-plan-related tasks of your own. And, if it's within your power to do so, set people deadlines for submitting their contribution, or make it a performance review objective.
Keep It Simple
When you write your contingency plan, be sure to use simple, plain language. You don't know when the plan will be used, or who will read and implement it when it's needed. For the same reason, use job titles or roles instead of names when you define people's responsibilities. This will help to keep your plan relevant, regardless of any changes in personnel.
And don't forget that your people are business-critical, too. Sudden, unexpected events can be difficult or stressful for them – and for you. At such times, clear communication is essential to reassure everyone that the situation is under control, and to avoid potentially damaging rumors and gossip. Read our article, How to Keep Calm in a Crisis, for more on this.
Maintaining Your Contingency Plan
Your contingency plan must be reviewed and updated regularly, if it's to remain useful and credible.
When you review it, take all relevant technological, operational and personnel changes into account and reassess the risks accordingly. Then, discard old versions of the plan.
Tip:
The coronavirus pandemic demonstrated how quickly whole organizations can change the way they operate – having everyone suddenly working from home, for example. So bear this in mind when you're writing your contingency plan. It needs to work in any workplace scenario, whether everyone's in the office, everyone's remote, or there's a hybrid approach in place.
When new employees join your organization, provide them with the contingency plan as part of their induction so that they're familiar with it, and so that they know what to do if there's a problem.
And finally, keep your plans safe, and make sure that they're accessible by the right people at the right times. If a crisis occurs, you won't want to be searching for passwords or struggling to give people access rights. Treat your contingency plans with the same care that you give to all your business-critical information.
Note:
The specifics of disaster recovery are beyond the scope of this article. For more information on this topic, listen to our Expert Interview with Kathy McKee, Leading People Through Disasters.
Key Points
Contingency plans are an essential part of risk management. They help to ensure that you've always got a backup option when things go wrong, or when the unexpected happens.
To develop a contingency plan, first conduct a risk assessment: identify your business-critical operations, identify the threats to those operations, and analyze the potential impact of each threat.
Then, include the following points for each threat:
- Scenarios.
- Triggers.
- Response overview.
- People to inform.
- Key responsibilities.
- Timeline.
To create the most robust plan, consult widely within your organization, conduct trial runs, update the plan regularly, and store it securely.
This site teaches you the skills you need for a happy and successful career; and this is just one of many tools and resources that you'll find here at Mind Tools. Subscribe to our free newsletter, or join the Mind Tools Club and really supercharge your career!
In today's high tech world having a robust IT security strategy is a must. Thank you for sharing the infographic.
Michele
Mind Tools Team