Businesses need a plan to get back on track when a disaster interrupts daily operations. Contingency plans, also known as “business continuity plans,” “emergency response plans” and “disaster recovery plans” help organizations recover after a disruption.
Whether they’re preparing for a global outbreak of a deadly virus, crisis management around a data breach or the loss of an important client, contingency plans help organizations bounce back after a negative event.
Companies create many kinds of recovery strategies for everything, from the merger of key competitors to the insolvency of the bank that processes its employee payroll. In India, the government was busy designing a contingency plan as a drier-than-expected monsoon season approached.¹ Meanwhile, in Hong Kong, a large bank was preparing a plan b in case a host of new sanctions were levied as the result of a recent geopolitical development.²
This guide summarizes what sustainability-forward organizations look for in their ESG software platform to help achieve their goals.
Register for the ebook on ESG reporting frameworks
Here are five steps companies use to create effective business contingency plans.
The contingency planning process begins with a risk assessment to gauge the potential impact of each risk. Typically, business leaders and employees conduct risk analysis.
Team members begin with a brainstorming session where they discuss potential risks, courses of action and the company’s overall preparedness. During this stage, it’s important to be clear about the scope of the project and invite all relevant stakeholders to give input. Companies don’t need to create a risk management plan for every threat they face, just the ones deemed highly likely and with the potential to interrupt business operations.
Effective business impact analysis (BIA) is critical to understanding different business functions and how they will react to unexpected events. For example, while a shortage in micro-processors might be devastating to a part of a business that deals with the manufacture of gaming consoles, it likely has little to no impact on the same company’s HR department.
To assess the urgency of creating an action plan for this specific threat, the company would need to know how much of its revenue was being generated from the part of the business threatened by the microprocessor shortage. If gaming consoles are a high percentage of their revenue, they will put a strong plan in place soon.
A well-developed BIA helps stakeholders assess risk and better understand which parts of their business are most critical to daily operations.
After identifying the risks their company faces, determining the likelihood and severity of each risk and conducting a BIA, business leaders can follow a simple, three-step process to build their backup plan.
Identify the triggers that set their plan into action: For example, if a hurricane is approaching, at what point does the approaching storm trigger the contingency plan? When it’s 50 miles away or a 100? They must make clear decisions so the teams they put in charge of execution know when to start their work.
Design an appropriate response: The threat the business prepared for arrives. Teams must know exactly what’s expected of them so the company can recover quickly. Compile clear, accessible instructions, protocols that are easy to follow and a way for everyone to communicate with each other.
Delegate responsibility clearly and fairly: Like any other initiative, contingency planning requires effective project management to succeed. In the case of an existential threat such as a natural disaster, everyone involved in helping the company recover must know their role and be properly trained to perform it.
For example, in the case of a fire, it wouldn’t be fair to expect employees untrained in firefighting to pick up a hose. However, with the right training, they might conduct headcounts or go floor-to-floor to ensure that other employees have evacuated.
One way to improve workflow among teams when designing a plan is to create a RACI chart. RACI stands for responsible, accountable, consulted and informed and is a widely used process to help teams and individuals delegate responsibility and react to crises in real time.
While it can be hard to justify the importance of putting financial resources into something that might never happen, these past few years have taught us the value of good contingency planning. Think of all the supply chain problems, critical shortages of personal protective equipment and financial havoc wreaked by the pandemic. What would have been different if organizations had had effective contingency plans in place?
Cost and uncertainty are significant barriers when convincing business leaders of the importance of making an investment in contingency planning. Since all costs for contingency plans are estimated—there’s no way of knowing precisely how events will disrupt a business—decision-makers are understandably hesitant.
Different industries have different ways of approaching this problem. In the construction industry, it’s common to set aside 10% of the overall budget of a project for contingencies. Other industries use different methods.
One popular method estimates risks according to a percentage of how likely they are to occur. By this method, if there’s a 25% risk of an event occurring that will result in USD 200,000 in recovery costs, the company must set aside 25%—or USD 50,000—to be in compliance with their contingency plan.
Markets and industries are constantly shifting, so the reality that a contingency plan faces when it is triggered might be different than the one it was created for. For example, after the 9/11 terror attacks, many of the contingency plans that the US government had in place were suddenly irrelevant because they had been prepared decades before.
To avoid a similar disconnect between plans and threats, businesses need to constantly test and reassess the plans they’ve made. For example, IBM’s guidelines mandate that plans should be tested at least once annually and improved upon as necessary. If new risks are discovered and their severity and likelihood is deemed high enough, the old plans might be scrapped altogether.
When businesses are hit with an unexpected disruption, a strong contingency plan gives much-needed structure to the recovery process. Disruptive events cause chaos and decision-makers and employees are often left scrambling to understand what is happening and how best to respond to it. Having a strong plan to turn to can help restore confidence and show the way forward.
Here are a few benefits business leaders who create strong contingency plans can expect:
Businesses that create strong plans recover faster from a disruptive event than businesses that don’t. When a negative event occurs, the faster the business recovers and gets back to business-as-usual, the lower the risk to the company, its customers and its employees.
A good contingency plan minimizes the damage to a company—both reputational and financial. For example, while a data breach will undoubtedly damage a bank’s reputation, as well as its bottom line, how the bank responds will play a critical role in whether its customers decide to continue doing business with it.
Many organizations use a strong contingency plan to show employees and customers that they take preparation seriously. By planning for a wide range of potentially damaging events, business leaders can show investors, customers and workers that they’ve taken the necessary steps to minimize risk.
Many plans focus on natural disasters such as floods, earthquakes or fires. Others deal with data breaches, unexpected network downtime or the loss of a key employee such as a CEO or founder. Here are a few examples of contingency plan templates that deal with broadly different scenarios across a range of industries.
Severity and likelihood of risk: The manufacturers have been following the news in a region where they source specific airplane parts and have deemed the likelihood of disruption there “high.” They initially conduct a search for another supplier but quickly learn that it takes months—even years—to find one. Since the part is necessary for the construction of all their airplanes, they label the severity of this disruption “high” as well.
Trigger: Suppliers make the manufacturer aware that they will soon run out of the needed part due to a disruptive geo-political event in its country of origin.
Response: The manufacturer begins the search for a new supplier of the much-needed part in a more stable country.
Severity and likelihood of risk: The managers of a bank know of a vulnerability in their app that they are working to fix. If the app is hacked and their information systems are compromised, they are likely to lose vital customer data. They rate the likelihood of this event as “high” since, as a financial institution, they are a desirable target.
They also know from watching their competitors face similar situations that the potential for disruption to their business in an event like this is great. They rate the severity of this risk as “high” as well.
Trigger: IT makes the bank’s managers aware that the bank’s app has been hacked and their customers’ data is no longer secure.
Response: The app is immediately shut down and customers are notified that their data has been compromised. They are made aware of the steps that the bank is taking to ensure that they have access to their money and that their personal information is not available to anyone on the dark web. An on-call team of specially trained security experts come in to restore the bank's systems and secure customer information.
Severity and likelihood of risk: The plant’s managers know that severe flooding might spread un-treated water into the city’s streets and public waterways. Both the severity of this risk and its likelihood given the impending storm are deemed “high.”
Trigger: The hurricane’s path turns toward the city and approaches to less than 100 miles away with wind speeds higher than the threshold rated “safe.” The plant’s contingency plan is put into action.
Response: All necessary workers are recalled to the plant 24/7 and measures are taken to treat as much of the water as possible before the hurricane arrives. According to their plan, whatever is left over will be pumped into holding tanks that are designed to withstand a hurricane. When windspeeds rise to a certain velocity, the plant itself is shut down and all workers evacuated.
Help your business respond quickly to changing conditions with IBM Maximo, an integrated cloud-based solution that harnesses the power of artificial intelligence (AI), Internet of Things (IoT) and advanced analytics to maximize performance and minimize costs and downtime.
Learn more about the process of disaster recovery planning and Disaster-Recovery-as-a-Service.
Discover how global supply chains responded to the COVID-19 pandemic and are developing better ways to balance efficiency and resilience.
See how businesses are leveraging AI and other emerging technologies to maintain business continuity amid disruption and uncertainty.
Footnotes
1 “El Nino contingency plan being readied for farmers and output” (link resides outside ibm.com), Elara Securities Pvt Ltd., 27 April 2023.
2 “HKMA has prepared contingency plans in case of severe sanctions” (link resides outside ibm.com), UBS Global Research and Evidence Lab, 5 May 2022.