Mastering Contingency Planning: Expert Strategies, Proven Best Practices, and Testing Techniques for Optimal Results

By Joe Weller | May 9, 2023

Successful organizations must understand potential risks and have contingency plans in place to address them. We’ve assembled expert tips on effective contingency planning and offer practical insights on how to test those contingency plans.

Included on this page, you’ll find the benefits of contingency planning, steps to take to create a contingency plan, examples of contingency plans, and information on a range of exercises your team can do to test its contingency plans.

What Is a Contingency Plan?

A contingency plan is a proactive strategy that outlines the actions a person or entity will take in response to a potential future event. Businesses often develop contingency plans to prepare for risks and mitigate their impact on the business.

What Is Business Contingency Planning?

Business contingency planning is work an organization does to determine how it responds to future events that might affect the business. The goal is to prepare an organization to respond to negative events and mitigate their impact on the business.

A business contingency plan is a written document that outlines an organization’s contingency planning efforts. It typically includes a comprehensive assessment of possible risks to the business and corresponding measures the organization has planned to mitigate these risks, such as legal and budget contingency.

Why Is a Business Contingency Plan Important?

A business contingency plan is crucial for any organization, as it helps them respond quickly and effectively to negative events. With a solid contingency plan in place, companies can minimize damages and continue to thrive even amid challenges.

While an organization might develop a contingency plan for risks to individual projects or general risks to the enterprise as a whole, business contingency plans refer specifically to general risks to the enterprise. This document details all of the most important risks that a business or organization faces.

In recent years, the importance of business contingency plans has increased significantly. With the rise of climate change, natural disasters have become more frequent and disruptive, underscoring the need for organizations to have effective contingency plans. In addition, the ever-growing threat of cybercrime has further highlighted the importance of contingency planning, as businesses increasingly rely on technology to operate.

Luis Contreras

“Before, you might have said, ‘What are the odds of a 100-year flood?’” says Luis Contreras, President and Principal Consultant for AzTech International, a California consultancy that helps organizations manage large, complex projects. “Well, they are happening more often now. ‘What are the odds of a cyber incident?’ Well, they're happening more often.”

Erika Andresen

Many organizations take steps in their risk management programs to try to completely eliminate certain risks. However, it’s almost impossible for any organization to completely eliminate the chance of a risk happening, says Erika Andresen, a business continuity and resilience expert, author, and founder of EaaS Consulting. Business contingency planning is important, she says, “because your risk management will fail at a certain point.”

The Benefits of a Contingency Plan

Contingency plans offer several benefits to organizations. They enable organizations to respond promptly and effectively to unexpected events, minimize damages, and facilitate a quick recovery. With a contingency plan in place, organizations can take proactive measures to mitigate risks.

Here are some of the primary benefits of having a contingency plan in place:

  • Improves Event Responsiveness: By having a clear plan in place, there is no confusion and individuals know how to react without blindly searching for direction. This enables the organization to take swift and effective action, minimizing response times and ensuring continuity of operations.
  • Minimizes Damage: Having a contingency plan in place enables immediate and effective responses to potential risks or events, minimizing the resulting damage. For example, a company has property that is susceptible to flood damage. With a contingency plan in place, the organization can promptly identify the flood and take preventive measures within 30 minutes to minimize future damage. Without a contingency plan, it might take several hours before the organization can address the issue, resulting in significant damages. In such cases, a contingency plan could be the difference between incurring minor cleanup and repair expenses vs. incurring thousands of dollars in damages.
    Andrew Lokenauth
    Andrew Lokenauth, a former finance executive with Goldman Sachs and J.P. Morgan, an adjunct professor at the University of San Francisco School of Management, and the founder of befluentinfinance.com, provides another, larger-scale example. “COVID-19 crumbled stock prices for companies that had supply chain issues,” he says, noting that companies with contingency plans did much better. “The ones that had good business continuity planning — they did well.”
  • Facilitates Quick Recovery: Organizations with good contingency plans bounce back quickly from negative events. For example, a severe storm or power outage might have a huge effect on a state or metropolitan area, but businesses that have backup generators and other contingency plans can often resume operations quickly.

    “It's resilience — it's how your company stays a company,” Andresen says. “That's how the company is able to grow and thrive. You've figured out that you're going to have a risk that is going to impact your operations. And then you worked and took the extra step to put in policies and procedures to get yourself back up and running with minimal disruption.”
  • Decentralizes and Disseminates Important Information: Business contingency planning forces organization leaders to gather people to assess the organization’s potential response to various events. This work necessitates the sharing of important information about the company and its operations, resulting in more people knowing how to assist in the company’s response.

    Accessible, decentralized information is invaluable in a crisis event or when top leaders in a company suddenly leave.“If you have a company with one or two top leaders, then it makes it even more important,” says Lokenauth.

    “If one person has all the knowledge, when something happens to that one person, how does the company function?”
  • Gives the Company Confidence in Its Operations: When you create effective contingency plans, you boost the confidence of everyone in the company. You instill a sense of trust that the company will respond well in an emergency. Moreover, you enhance confidence in the company’s overall preparedness, foresight, and integrity.

What Does a Contingency Plan Cover?

A contingency plan covers the important risks the organization is monitoring and any possible triggers to those risks. It also outlines the specific actions organization staff will take to respond to them.

A contingency plan often includes the following components:

  • Triggering Events: Identify the events that can make a risk event more likely to happen, such as weather patterns or market conditions.
  • Response Details: Outline specific actions the organization will take in response to a risk event, including preventive measures and mitigation strategies.
  • Organizational Responsibilities: Detail the roles and responsibilities of key personnel within the organization, such as the crisis management team and first responders. This might include a RACI chart that outlines who is responsible, accountable, consulted, or informed about specific response actions.
  • Key Contacts: Include contact information for key people or organizations that will be involved in the response efforts, such as emergency services, suppliers, and customers.
  • Outside Experts: Identify outside experts or consultants the organization might need to engage for help when responding to the risk event, such as legal advisors, public relations firms, or technical specialists.
  • Response Timeline: Include a timeline that details when certain responses need to happen, such as when to activate the crisis management team, notify stakeholders, or implement recovery measures.

Learn more about important components and how to write an effective contingency plan in this all-inclusive guide to writing contingency plans.

How to Develop a Contingency Plan

Developing a contingency plan begins with identifying and assessing potential risks. Next, teams outline an appropriate response to each risk, including specific actions that need to be taken and who will be responsible for executing those actions.

Steps in Business Contingency Planning

To develop an effective contingency plan, businesses need to follow some critical steps. The process starts with identifying and assessing potential risks and creating a response plan. Teams should then be trained on the plan and continually monitor potential risks.

These are the important steps to creating an effective contingency plan:

  1. Identify and Assess Risks: Identify potential risks that could have the most significant impact on your organization. This assessment might involve conducting a business risk analysis to evaluate potential threats, vulnerabilities, and consequences. Learn more about this step in the contingency planning process in this comprehensive guide to risk mitigation.
  2. Identify Resources: Identify what resources your organization already has that can help with contingency responses. This might include people, tools, or services that can be used to respond quickly to an unexpected event. Gather and coordinate those resources.
  3. Create Contingency Plans: Create a contingency plan for each risk that your organization has identified as critical. This plan should outline specific actions that need to be taken, who will be responsible for those actions, and a timeline for executing the plan.
  4. Seek Input and Secure Approvals: Get input from stakeholders and people within your organization on your draft contingency plans. Once you’ve gathered feedback, finalize plans and get approval from the organization’s leaders.
  5. Share Your Plans: Communicate your contingency plans to all relevant stakeholders within your organization. This includes making sure that everyone understands what the plans are, what their role is in executing the plans, and any necessary training or resources required to implement them.
  6. Perform Training Exercises: Train all relevant staff members on the contingency plans, and make sure they understand their roles in executing them. To test the effectiveness of the plans, perform exercises or drills that simulate potential risk events.
  7. Monitor Risks and Contingency Plans: ​​Regularly review and assess business risks to ensure that your contingency plans remain effective and relevant. Evaluate whether the current plan provides the best response to potential risks and consider making updates or modifications as necessary.
  8. Create New or Adjusted Contingency Plans as Needed: If your monitoring indicates that your contingency plans require adjustments, take action and promptly update them.

Business Contingency Planning Grid Template

Sample Business Contingency Planning Grid Template

Download a Sample Business Contingency Planning Grid Template for 
Excel | Microsoft Word

Download a Business Contingency Planning Grid Template for 
Excel | Microsoft Word

Download this business contingency planning grid template to assist your team in identifying potential risks to consider in your organization’s business contingency planning. This template provides a comprehensive list of broad risk categories and specific risks within those categories. By using this tool, you can evaluate which risks are relevant to your organization and develop appropriate contingency plans.

Contingency Planning for IT

Contingency planning in IT follows the same basic steps as other organizations. However, it often begins with a contingency planning policy statement, which outlines an organization’s broad approach to contingency planning.

What to Include in a Contingency Planning Policy Statement

A contingency planning policy statement is a document that outlines how an organization will perform contingency planning. It includes details on objectives, roles and responsibilities, resource and training requirements, testing schedules, and data backup and storage plans.

A contingency planning policy statement should include the following components:

  • Objectives: Describe the organization's overall contingency planning objectives — for example, what types of risks the organization is preparing to address and how the organization's contingency planning efforts align with its overall business goals.
  • Roles and Responsibilities: Outline the specific roles and responsibilities for performing contingency planning within the organization. This should include both high-level positions and specific individuals who will be responsible for carrying out different components of the plan.
  • Organizational Functions and Departments: Identify which organizational functions and departments will be responsible for performing contingency planning. This helps ensure that all relevant areas of the organization are involved in the planning process.
  • Resource Requirements: Determine the resources needed to support contingency planning efforts, including funding, personnel, equipment, and other necessary resources.
  • Employee Training Requirements: Develop a plan for training employees on their roles and responsibilities in the event of a contingency situation. This might include both general training on contingency planning concepts and specific training on the organization's specific plan.
  • Schedules of Exercises and Tests: Establish a schedule for conducting exercises and tests of contingency plans to ensure that they are effective.
  • Procedures for Maintaining and Updating: Develop procedures for maintaining and updating contingency plans over time, including regular reviews and updates to reflect changes in the organization's risk landscape or other relevant factors.
  • Data Backup and Storage: Determine how the organization will back up and store all electronic data to ensure that critical information is not lost in the event of a contingency situation.

A Contingency Plan Model for IT

The National Institute of Standards and Technology (NIST) has created SP 800-34, a popular contingency plan guide for IT. The guide outlines the steps and considerations that organizations should take when developing, implementing, and maintaining an effective contingency plan.

The SP 800-34 guide covers the entire contingency planning process, from risk assessment to plan testing and maintenance. It is widely used as a reference by government agencies, private organizations, and security professionals.

IT Preventive Controls

Any organization’s IT contingency plan should include preventive controls. These are measures an organization can take to prevent interruptions to information services or technology.

 Here are some basic IT preventive controls recommended by the NIST for federal information systems:

  • Uninterruptible power supplies (UPS): To provide short-term backup power to all components, appropriate for the size of your system.
  • Fuel-powered generators: To provide power over the longer term.
  • Air-conditioning systems: Establish adequate capacity to prevent failure of components that malfunction when overheated.
  • Fire and smoke detectors: Install in appropriate locations.
  • Fire suppression systems: Install to minimize potential damages.
  • Water sensors: Place in the ceiling and floor of rooms where computer equipment is located.
  • Containers for backup media and vital non-digital records: Ensure they are heat resistant and waterproof.
  • Master system shutdown switch: Make available for emergencies.
  • Off-site storage areas: Use them for backup media, system documentation, and important non-digital records.
  • Technical security controls: This includes management of cryptographic keys.
  • Frequent scheduled backups of data: This includes information on where the backups are stored, onsite and offsite.

Examples of Contingency Plans

Contingency plan examples can help your team understand what to consider in creating a plan and the important components to include.

You can learn more about contingency planning and download blank and example contingency plans.

Business Contingency Planning Best Practices

To improve your organization’s business contingency planning, experts recommend following a number of best practices, such as performing an effective risk assessment, training employees on the plan, and conducting exercises to test the plan.

These are some best practices to follow for effective business contingency planning:

  • Perform Good Risk Assessment and Analysis: Your team should identify the most critical risks through a thorough risk assessment. This includes analyzing the potential impact of each risk and determining which risks require a comprehensive contingency response.
  • Ensure All Team Members Are Aware of Contingency Plans: Contingency plans will not be effective if the employees in your organization are not aware or have only a vague understanding of them. Incorporate contingency planning into employee training and orientation programs, and communicate regular reminders and updates on the plans through team meetings, newsletters, and other internal communication channels.
  • Train Staff and Conduct Regular Drills: Your organization should train all employees responsible for specific tasks in the plan. Conducting exercises or drills where employees simulate a risk event scenario can help teams identify potential gaps or issues in the plan and improve its effectiveness.

    Many organizations will complete a business continuity or contingency plan, then “put it on a shelf and say, ‘OK, I did it.’ No, you didn’t,” says Andresen. “You haven't done it. You don’t know what’s in it. You don’t have the muscle memory for what the procedures are. When the disaster happens, you don’t want to be saying, ‘Hold on, let me flip through the pages.’ That's another integral part to business continuity planning or contingency planning: to train the plan and exercise the plan. That’s how you figure out if the plan works.”
  • Continually Review Plans and Make Necessary Adjustments: Drills and exercises are crucial to contingency planning, as they allow organizations to identify which contingency are ineffective and need to be revised. It is essential to modify plans when necessary, whether due to changing risks or other factors.

    After conducting a drill on a contingency plan, Andresen advises, “Go back and relook at the plan and say, ‘OK, we did this well. This didn't work. This needs to be improved.’”

    By doing so, teams can ensure that their contingency plans actually work. “This is why this needs to be revisited continuously so that the plan is not just a heavy paperweight,” says Andresen. “Don't break your arm patting yourself on the back that you've accomplished making the plan — actually do something with it.”

Types of Exercises to Test Your Contingency Plan

Conducting a variety of drills and exercises for contingency plans is essential for organizations that want to be prepared for any potential risks. The following chart outlines different types of exercises that can test and improve your contingency plans.

Type of Exercise Description Goal Structure and Components Required Resources
Walkthroughs, workshops, or orientation seminars These are simple events that inform team members of an organization’s contingency plans. To help team members become familiar with emergency response in general and understand their responsibilities  in the contingency plan. Contingency plan experts and panel discussions are used to provide information during presentations. Presenter or presenters, often internal to the organization.
Tabletop exercises These drills require team members to meet in a classroom setting to discuss their roles during an emergency, using hypothetical scenarios. To help team members understand potential issues and problems that may arise during an actual event. A facilitator presents hypothetical scenarios, and team members apply their knowledge and skills to problem-solve in real time. An experienced facilitator – internal or external – and a conference room to conduct the exercise.
Functional exercises These drills test a contingency plan by having team members simulate performing their duties that are part of the plan. To test the functionality of  various components and procedures within the contingency plan in order to identify areas that need improvement. Exercise observers evaluate behavior and performance, and improvements  are made to the plan. A facilitator, increased planning, some location and other resources to create a more realistic simulation.
Full-scale exercises These drills are designed to mimic a real event as closely as possible, with participants in the field where a real event might happen. To provide a comprehensive understanding of the contingency plan and uncover any potential complications or problems with equipment and  resources during a real event. Full-scale exercises mimic actual damage that could occur, use actual resources, and may include the participation of other organizations and government agencies. Significantly more resources and staff time to arrange and participate in a real-world simulation. In some cases, you will need to plan for participation from external groups and agencies.

Common Contingency Planning Pitfalls to Avoid

To achieve effective contingency planning, it is important to be aware of common challenges and pitfalls. One such challenge: organizations not allocating sufficient resources to planning and executing responses that are part of the plans.

These are some of the most common challenges and pitfalls to avoid:

  • Lack of Resources Devoted to Contingency Planning and Actions: To create effective contingency plans, organizations must allocate staff time and resources for both planning and response. This includes significant resources to execute the actions required in response to a risk event. Neglecting these necessary resources can result in ineffective contingency plans and costly responses to risks.
  • Lack of Buy-in From Organizational Leaders: Lack of buy-in from organizational leaders often results in a lack of resources. Leaders who don’t value contingency planning might not provide the necessary funding, time, or attention to ensure the plans are effective. This can result in plans that are incomplete, inadequate, or not tested or updated regularly.

    “Every level of employee is going to look at leadership and see if they take this seriously,” Andresen says. “Is this some simple extra duty? If leadership is saying, ‘No, this is really important, and this is why this is important,’ they get the employees behind that. Then the employees are going to take it seriously.”
  • Bias Against Plan B Thinking: Contingency planning assumes that at some point, an organization’s mission is going to fail. Unfortunately, some organizational leaders have a bias against this, as they perceive it as thinking about a Plan B. However, these leaders must work to understand that having contingency plans is vital for the organization’s future and doesn’t reflect a lack of confidence in Plan A.
  • One-and-Done Contingency Plans: According to Andresen, organizations often develop contingency plans because they are deemed useful or someone within the organization encourages their development. However, these contingency plans are often completed, then disregarded. In order for contingency plans to be effective, organizations must share them widely, train their employees on them, and continuously adapt them to changing circumstances.

Effective vs. Ineffective Contingency Planning Example

The table below demonstrates the varying outcomes between a well-considered contingency plan and one that is less so. The consequences of these differing results can be significant for both the organization and the community.

Resource and Environment at Risk: An oil production facility has above-ground oil flowlines that run for 7,000 feet. The facility is located half a mile west of a major creek and six miles north of a river. The creek flows into the river, which flows into a town of 150,000 people located 12 miles away.

Contingency Plan Purpose: Detect and mitigate any significant oil leak from the facility's flowlines, with the goal of minimizing environmental damage. The plan places a special emphasis on preventing oil from reaching the nearby creek or river.

Effective Contingency Plan Components Result Ineffective Contingency Plan Components Result
Staff conducts line pressure and component checks every 12 hours to identify significant line leaks. A major leak occurs in a flowline, leading to an automatic shutdown of the affected line. The changed pressure and other issues are detected within 4 hours of the leak, and response efforts begin at that point. Line pressure and other components are checked by staff every 24 hours, but might not be sufficient to detect significant line leaks in a timely manner. A rupture and leak from a single flowline are detected 8 hours after the leak begins, when the automatic line shutdown and significant amounts of oil spilled are noticed by others at the facility. Response begins at that point.
Plant ensures that every employee shift has a minimum of three trained personnel for spill response. Trained employees take immediate action per the plan, including shutting down flowlines and notifying the plant's emergency response coordinator and other leaders. Only a few of employees are trained on spill response and might not be available on every shift. No trained employees are working the night shift when the leak is detected. Employees respond to the leak as quickly as possible but are delayed by communication among each other and with off-duty employees, leading to a 45-minute delay in the full shutdown of flowlines. It takes 75 minutes to reach the plant’s emergency response coordinator and other plant leaders.
Plant maintains equipment and materials to construct temporary trenches and mounds to stop leaked oil from moving toward the creek or river. Within an hour of detecting the spill, crews start building trenches and mounds to contain the oil and prevent it from spreading beyond the plant area. Contingency plan does not include any construction of trenches or mounds to limit oil movement toward the creek or river. Significant quantities of leaked oil move outside the plant on its east side and toward the creek a mile away.
Contingency plan mandates the deployment of floating booms across the creek downstream from the spill, and regular inspection of access points every three months for boom deployment. Crews stand ready to deploy booms if needed, and initiate the process if any oil moves past the trenches and mounds.
Contingency plan calls for deployment of floating booms across the width of the creek downstream from the spill, but access points to the creek are not periodically inspected.
As the leaked oil moves toward and into the creek, crews discover that construction work on a bridge near the creek is limiting their access to deploy booms. They can only partially deploy booms in the creek. Plant and government officials later determine that about 100,000 gallons of oil moved down the creek and later into the river.

 

Business Contingency Plan vs. Business Continuity Plan

A business continuity plan and a business contingency plan share some similarities, but a business continuity plan primarily focuses on how an organization can continue operations during an emergency, whereas a contingency plan addresses a broader range of risks.

  • Business Continuity Plan: A business continuity plan outlines the steps an organization will take to maintain normal operations following a major and disruptive event, such as an earthquake, fire, or major data breach.
  • Business Contingency Plan: A business contingency plan covers a broader range of risks that an organization might face and outlines how the organization plans to respond. These risks can include potential major disruptions or events that might not directly affect operations but still require an effective response.

Business Contingency Plan vs. Project Risk Management Plan

Business contingency plans and project risk management plans both identify potential risks and determine ways to respond to them. The former focuses on risks to the entire organization, while the latter focuses on risks to a particular project.

In a project risk management plan, teams identify and assess possible risks to a specific project. It then determines how project leaders can respond to, eliminate, or mitigate those risks.

A business contingency plan identifies potential threats to an organization's ability to continue operating. It assesses risks that could temporarily or permanently halt operations, and then outlines plans to mitigate or eliminate those risks.

Effectively Plan Your Response to Risks with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

 

 

 

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Try Smartsheet for Free Get a Free Smartsheet Demo