Write a Contingency Plan

Organizations create contingency plans, sometimes called a "Plan B," to prepare for something bad that could affect the organization's ability to function. Developing an effective contingency plan is essential for any organization. Many things can put an organization at risk, from a technical disaster (like a data breach) to a natural one (like a flood). Writing contingency plans prepares an organization for such possibilities.

Steps

Sample Contingency Plans

Doc:Contingency Plan for Fire,Contingency Plan for Threat,Contingency Plan for Data Recovery

Assessing the Risks

1. Prepare to write your contingency plan. The key goal should be to make sure you can maintain the operation of your organization if the disaster were to occur.
   • It’s a good idea to have a formal policy spelling out the need for a contingency plan.^[1]
   • The plan should be simple overall. The language and directions in it should be understandable to future audiences. You never know who will have to implement it.
   • Figure out the specific trigger that will require you to use your contingency plan. Determine how you will measure success so that you can return to normal operations. Identify all operations that are critical to your business continuing.
2. Make sure the plan answers the three key questions of contingency plans. Making sure your plan addresses each of these three questions will help you ensure you don't miss anything.
   • What could happen?
   • What will we do in response?
   • What can we do in advance to prepare? ^[2]
3. Figure out the risks that are most likely to occur for your specific organization. Determining potential risks is one of the most important aspects of a contingency plan. This won’t be a one-size-fits-all process. You need to determine the risks that are unique to the organization. There are many possible risks that businesses can face.
   • Natural disasters, such as floods, hurricanes and droughts may require a contingency plan.^[3] Other possible risks include a crisis, work site accident, personnel problems (like death of a leader or a strike), data loss, mismanagement, and product issues (like a recall).
   • You should focus on areas including management, communications, financial resources, coordination, logistical and technical responses.^[2]
   • Technical disasters can include those components of your organization dealing with communication infrastructure. You will want to consider potential loss of data or customers.^[4]
4. Prioritize the risks. Rank the risks based on the probability they will occur. All risks are not created equal, and most contingency plans can’t deal in depth with every single potential risk. You need to figure out which are most likely and would affect the company most.
   • Focus in on the most critical events. You should list every single event that might affect operations, but then rank them 1 to 10. What would be the impact of each event? A small fire isolated to one machine will likely rank lower than the entire plant burning down, for example.
   • Then, develop a ranking for how often the risk might occur. For example, you could score it a 10 if it could happen once a month and a 1 if it might happen once in 100 years. Then, multiply the two scores, for likelihood and impact, to get a total score.
   • Work on the highest scores first. Come up with a cut off. You might look at the low score items and develop a general process, though. Areas that are essential to the organization’s survival are usually put at the top, such as maintaining cash flow, market share, and staff support.^[5]

Identify scenarios

1. Develop scenarios for the highest-ranked risks. You will need to produce realistic scenarios for each risk in order to develop an effective contingency plan. Specifically outline what could happen if each of the top priority risks was to occur.^[6]
   • You can start determining impacts after you develop the scenarios thoroughly. What could be the ultimate impact of each scenario, in detail?
   • You could develop different gradations of the same scenario, such as the best-case, most likely case, and worst-case scenario.^[7]
2. Create a timeline for how the scenarios might unfold. Determine who will be in charge of what and when. Don’t forget to update contact lists and determine who will be responsible for notifications.
   • Outline time frames. What will happen on the first day or the first week? Be very specific.
   • You could have timelines for scenarios that deal with physical vulnerabilities, organizational vulnerabilities and institutional vulnerabilities. For example, physical vulnerability might deal with infrastructure. Organizational might deal with whether there are early warning systems or skilled response teams. Institutional vulnerabilities might deal with whether there are financial resources available or external partners. Different people might be in charge of different aspects.
3. Decide what will be most essential to get your business operational again. Explore these angles in detail. Chart out capacities as well as vulnerabilities. What capacity does the organization have to meet risks or mitigate them?
   • For example, say the potential hazard is a flood. A potential risk might be river floods overflowing the banks and affecting homes in the area. The vulnerability might be poor infrastructure. The capacity might be having skilled personnel on hand.
   • Do an honest assessment of resources. What functions will you have to change or reduce because of limited resources? Perform a business impact analysis. You want to identify which areas are necessary for the business to meet its mission and continue operating.
4. Find ways to reduce risk. It’s usually not enough to develop a “Plan B” and then sit back and hope it never comes to fruition. Assess how you can take steps immediately to reduce the risks. Develop preventative strategies.
   • Consider the availability of partners. What local resources would be available if the disaster struck? Would neighbors be willing to help?
   • The best contingency plans help companies pinpoint areas they can improve so that they reduce the likelihood of the plan being needed in the first place.
   • You might realize you need insurance, for example, or should have disaster drills. Perhaps you realize that key personnel need additional training. When it comes to data threats, you could have a back-up system installed. Devise a plan for each scenario^[8]

Maintain your Contingency Plan

1. Communicate about the plan to all employees. You need to educate key people in your organization about the place before it’s ever needed.
   • Tell people which role and responsibilities they will have so there’s no confusion if the plan needs to be implemented in an emergency. This will reduce the chances of panic.
   • Give people the proper training they will need to meet their obligations as outlined in the plan. Hold drills if needed. Make adjustments after observing training.
2. Test your contingency plan. You can make testing manageable and cost-effective by testing in four stages. If an area proves to be flawed or conflicts with contingency plans from other departments, you can edit and the retest the plan.
   • Conduct a senior staff review. The senior staff chooses a date and time to go over all contingency plans and recognize the people who thoroughly completed their assignment.
   • Perform an interdepartmental review. This is where every department reviews another department's plans. This is the stage that allocates resources and identifies conflicts.
   • Study failures of critical systems. This testing stage can be localized within departments. Testing involves the simulation of system and/or vendor failures. You can role play scenarios without having to actually shut down important equipment or processes.
   • The real deal. Finally, you should fully test out the contingency plan. This can involve short-term shutdowns in key areas done in real time.
3. Store the plan in a place where it can be easily accessed. If disaster strikes, you don’t want the plan to burn down with the fire or be swept away with the flood. You don’t want a data breach to make it hard to retrieve the plan when you need it most.
   • Find a location for the plan (or a copy of it) in a different location. You want to keep it somewhere, though, where you can get to it fast if you need to.
   • Always keep a copy of the plan in a different location from the original. And make sure that more than one person knows how to access it and has authority to do so.
4. Revisit the plan on a regular schedule. Sometimes things change. Your assumptions could be outdated. The risks might be greater than they were before.
   • Involve more than one person in the plan and its updates. For example, you might want a new employee to look at it with a fresh eye or have it audited.
   • Confirm all assumptions by matching them with recent data or by checking them with a third-party. Perhaps the back-up computer system holds less data than you assumed.

Tips

• Don’t make your contingency plan such a low priority that you never get to it!
• You may want more than one contingency plan.
• Start by setting up a contingency planning committee and chose an individual who will lead this committee. The contingency plan leader provides skills, tools and a knowledge base so that each department can write its own plan.
• Go over the plan again. A second review helps find things that were missed the first time.

Sources and Citations