Enterprises are often defined by how they deal with events that are out of their control. For example, how you react to a disruptive technology or cope with a sudden change in the markets can be the difference between success and failure.

Contingency planning is the art of preparing for the unexpected. But where do you start and how do you separate the threats that could do real harm to your business from the ones that aren’t as critical?

Here are some important definitions, best practices and strong examples to help you build contingency plans for whatever your business faces.

What is a contingency plan?

Business contingency plans, also known as “business continuity plans” or “emergency response plans” are action plans to help organizations resume normal business operations after an unintended interruption. Organizations build contingency plans to help them face a variety of threats, including natural disasters, unplanned downtime, data loss, network breaches and sudden shifts in customer demand.

A good place to start is with a series of “what if” questions that propose various worst-case scenarios you’ll need to have a plan for. For example:

• What if a critical asset breaks down, causing delays in production?
• What if your top three engineers all quit at the same time?
• What if the country where your microprocessors are built was suddenly invaded?

Good contingency plans prioritize the risks an organization faces, delegate responsibility to members of the response teams and increase the likelihood that the company will make a full recovery after a negative event.

Five steps to build a strong contingency plan

1. Make a list of risks and prioritize them according to likelihood and severity.

In the first stage of the contingency planning process, stakeholders brainstorm a list of potential risks the company faces and conduct risk analysis on each one. Team members discuss possible risks, analyze the risk impact of each one and propose courses of action to increase their overall preparedness. You don’t need to create a risk management plan for every threat your company faces, just the ones your decision-makers assess as both highly likely and with a potential impact on normal business processes.

2. Create a business impact analysis (BIA) report

Business impact analysis (BIA) is a crucial step in understanding how the different business functions of an enterprise will respond to unexpected events. One way to do this is to look at how much company revenue is being generated by the business unit at risk. If the BIA indicates that it’s a high percentage, the company will most likely want to prioritize creating a contingency plan for this business risk.

3. Make a plan

For each potential threat your company faces that has both a high likelihood of occurring and a high potential impact on business operations, you can follow these three simple steps to create a plan:

• Identify triggers that will set a plan into action: For example, if a hurricane is approaching, when does the storm trigger your course of action? When it’s 50 miles away? 100 miles? Your teams will need clear guidance so they will know when to start executing the actions they’ve been assigned.
• Design an appropriate response: The threat your organization prepared for has arrived and teams are springing into action. Everyone involved will need clear, accessible instructions, protocols that are easy to follow and a way to communicate with other stakeholders.
• Delegate responsibility clearly and fairly: Like any other initiative, contingency planning requires effective project management to succeed. One proven way to address this is to create a RACI chart. RACI stands for responsible, accountable, consulted and informed, and it is widely used in crisis management to help teams and individuals delegate responsibility and react to crises in real time.

4. Get buy-in from the entire organization—and be realistic about cost

Sometimes it can be hard to justify the importance of putting resources into preparing for something that might never happen. But if the events of these past few years have taught us anything, it’s that having strong contingency plans is invaluable.

Think of the supply chain problems and critical shortages wreaked by the pandemic or the chaos to global supply chains brought about by Russia’s invasion of Ukraine. When it comes to convincing business leaders of the value of having a strong Plan B in place, it’s important to look at the big picture—not just the cost of the plan but the potential costs incurred if no plan is put in place.

5. Test and reassess your plans regularly

Markets and industries are constantly shifting, so the reality that a contingency plan faces when it is triggered might be very different than the one it was created for. Plans should be tested at least once annually, and new risk assessments performed.

Contingency plan examples

Here are some model scenarios that demonstrate how different kinds of businesses would prepare to face risks. The three-step process outlined here can be used to create contingency plans templates for whatever threats your organization faces.

A network provider facing a massive outage

What if your core business was so critical to your customers that downtime of even just a few hours could result in millions of dollars in lost revenue? Many internet and cellular networks face this challenge every year. Here’s an example of a contingency plan that would help them prepare to face this problem:

1. Assess the severity and likelihood of the risk: A recent study by Open Gear showed that only 9% of global organizations avoid network outages in an average quarter. Coupled with what is known about these attacks—that they can cause millions of dollars in damage and take an immeasurable toll on business reputation—this risk would have to be considered both highly likely and highly severe in terms of the potential damage it could do to the company.
2. Identify the trigger that will set your plan in action: In this example, what signs should decision-makers have watched for to know when a likely outage was beginning? These might include security breaches, looming natural disasters or any other event that has preceded outages in the past.
3. Create the right response: The organization’s leaders will want to determine a reasonable recovery time objective (RTO) and recovery point objective (RPO) for each service and data category their company faces. RTO is usually measured with a simple time metric, such as days, hours or minutes. RPO is a bit more complicated as it involves determining the minimum/maximum age of files that can be recovered quickly from backup systems in order to restore the network to normal operations.  

A food distribution company coping with an unexpected shortage

If your core business has complex supply chains that run through different regions and countries, monitoring geopolitical conditions in those places will be critical to maintaining the health of your business operations. In this example, we’ll look at a food distributor preparing to face a shortage of a much-needed ingredient due to volatility in a region that’s critical to its supply chain:

1. Assess the severity and likelihood of the risk: The company’s leaders have been following the news in the region where they source the ingredient and are concerned about the possibility of political unrest. Since they need this ingredient to make one of their best-selling products, both the likelihood and potential severity of this risk are rated as high.
2. Identify the trigger that will set your plan in action: War breaks out in the region, shutting down all ports of entry/exit and severely restricting transport within the country via air, roads and railroads. Transportation of their ingredient will be challenging until stability returns to the region.
3. Create the right response: The company’s business leaders create a two-pronged contingency plan to help them face this problem. First, they proactively search for alternate suppliers of this ingredient in regions that aren’t so prone to volatility. These suppliers may cost more and take time to switch to, but when the overall cost of a general production disruption that would come about in the event of war is factored in, the cost is worth it. Second, they look for an alternative to this ingredient that they can use in their product.

A social network experiencing a customer data breach

The managers of a large social network know of a cybersecurity risk in their app that they are working to fix. In the event that they’re hacked before they fix it, they are likely to lose confidential customer data:

1. Assess the severity and likelihood of risk: They rate the likelihood of this event as high, since, as a social network, they are a frequent target of attacks. They also rate the potential severity of damage to the company as high since any loss of confidential customer data will expose them to lawsuits.
2. Identify the trigger that will set your plan in action: Engineers make the social network’s leadership aware that an attack has been detected and that their customer’s confidential information has been compromised.
3. Create the right response: The network contracts with a special response team to come to their aid in the event of an attack and help them secure their information systems and restore app functionality. They also change their IT infrastructure to make customer data more secure. Lastly, they work with a reputable PR firm to prepare a plan for outreach and messaging to reassure customers in the event that their personal information is compromised.

The value of contingency planning 

When business operations are disrupted by a negative event, good contingency planning gives an organization’s response structure and discipline. During a crisis, decision-makers and employees often feel overwhelmed by the pile-up of events beyond their control, and having a thorough backup plan helps reestablish confidence and return operations to normal.  

Here are a few benefits organizations can expect from strong contingency plans:

• Improved recovery times: Businesses with good plans in place recover faster from a disruptive event than companies that haven’t prepared.  
• Reduced costs—financial and reputational: Good contingency plans minimize both financial and reputational damage to a company. For example, while a data breach at a social network that compromises customer information could result in lawsuits, it could also cause long-term damage if customers decide to leave the network because they no longer trust the company to keep their personal information safe.
• Greater confidence and morale: Many organizations use contingency plans to show employees, shareholders and customers that they’ve thought through every possible eventuality that might befall their company, giving them confidence that the company has their interests in mind.

Contingency plan solutions

IBM Maximo Application Suite is an integrated cloud-based solution that helps businesses respond quickly to changing conditions. By combining the power of artificial intelligence (AI), Internet of Things (IoT) and advanced analytics, it enables organizations to maximize the performance of their most valuable assets, lengthen their lifespans and minimize costs and downtime.