Successful organizations must understand potential risks and have contingency plans in place to address them. We’ve assembled expert tips on effective contingency planning and offer practical insights on how to test those contingency plans.
Included on this page, you’ll find the benefits of contingency planning, steps to take to create a contingency plan, examples of contingency plans, and information on a range of exercises your team can do to test its contingency plans.
A contingency plan is a proactive strategy that outlines the actions a person or entity will take in response to a potential future event. Businesses often develop contingency plans to prepare for risks and mitigate their impact on the business.
Business contingency planning is work an organization does to determine how it responds to future events that might affect the business. The goal is to prepare an organization to respond to negative events and mitigate their impact on the business.
A business contingency plan is a written document that outlines an organization’s contingency planning efforts. It typically includes a comprehensive assessment of possible risks to the business and corresponding measures the organization has planned to mitigate these risks, such as legal and budget contingency.
A business contingency plan is crucial for any organization, as it helps them respond quickly and effectively to negative events. With a solid contingency plan in place, companies can minimize damages and continue to thrive even amid challenges.
While an organization might develop a contingency plan for risks to individual projects or general risks to the enterprise as a whole, business contingency plans refer specifically to general risks to the enterprise. This document details all of the most important risks that a business or organization faces.
In recent years, the importance of business contingency plans has increased significantly. With the rise of climate change, natural disasters have become more frequent and disruptive, underscoring the need for organizations to have effective contingency plans. In addition, the ever-growing threat of cybercrime has further highlighted the importance of contingency planning, as businesses increasingly rely on technology to operate.
“Before, you might have said, ‘What are the odds of a 100-year flood?’” says Luis Contreras, President and Principal Consultant for AzTech International, a California consultancy that helps organizations manage large, complex projects. “Well, they are happening more often now. ‘What are the odds of a cyber incident?’ Well, they're happening more often.”
Many organizations take steps in their risk management programs to try to completely eliminate certain risks. However, it’s almost impossible for any organization to completely eliminate the chance of a risk happening, says Erika Andresen, a business continuity and resilience expert, author, and founder of EaaS Consulting . Business contingency planning is important, she says, “because your risk management will fail at a certain point.”
Contingency plans offer several benefits to organizations. They enable organizations to respond promptly and effectively to unexpected events, minimize damages, and facilitate a quick recovery. With a contingency plan in place, organizations can take proactive measures to mitigate risks.
Here are some of the primary benefits of having a contingency plan in place:
Accessible, decentralized information is invaluable in a crisis event or when top leaders in a company suddenly leave.“If you have a company with one or two top leaders, then it makes it even more important,” says Lokenauth.
A contingency plan covers the important risks the organization is monitoring and any possible triggers to those risks. It also outlines the specific actions organization staff will take to respond to them.
A contingency plan often includes the following components:
Learn more about important components and how to write an effective contingency plan in this all-inclusive guide to writing contingency plans.
Developing a contingency plan begins with identifying and assessing potential risks. Next, teams outline an appropriate response to each risk, including specific actions that need to be taken and who will be responsible for executing those actions.
To develop an effective contingency plan, businesses need to follow some critical steps. The process starts with identifying and assessing potential risks and creating a response plan. Teams should then be trained on the plan and continually monitor potential risks.
These are the important steps to creating an effective contingency plan:
Business Contingency Planning Grid Template
Download a Sample Business Contingency Planning Grid Template for
Excel | Microsoft Word
Download a Business Contingency Planning Grid Template for
Excel | Microsoft Word
Download this business contingency planning grid template to assist your team in identifying potential risks to consider in your organization’s business contingency planning. This template provides a comprehensive list of broad risk categories and specific risks within those categories. By using this tool, you can evaluate which risks are relevant to your organization and develop appropriate contingency plans.
Contingency planning in IT follows the same basic steps as other organizations. However, it often begins with a contingency planning policy statement, which outlines an organization’s broad approach to contingency planning.
A contingency planning policy statement is a document that outlines how an organization will perform contingency planning. It includes details on objectives, roles and responsibilities, resource and training requirements, testing schedules, and data backup and storage plans.
A contingency planning policy statement should include the following components:
The National Institute of Standards and Technology (NIST) has created SP 800-34, a popular contingency plan guide for IT. The guide outlines the steps and considerations that organizations should take when developing, implementing, and maintaining an effective contingency plan.
The SP 800-34 guide covers the entire contingency planning process, from risk assessment to plan testing and maintenance. It is widely used as a reference by government agencies, private organizations, and security professionals.
Any organization’s IT contingency plan should include preventive controls. These are measures an organization can take to prevent interruptions to information services or technology.
Here are some basic IT preventive controls recommended by the NIST for federal information systems:
Contingency plan examples can help your team understand what to consider in creating a plan and the important components to include.
You can learn more about contingency planning and download blank and example contingency plans.
To improve your organization’s business contingency planning, experts recommend following a number of best practices, such as performing an effective risk assessment, training employees on the plan, and conducting exercises to test the plan.
These are some best practices to follow for effective business contingency planning:
After conducting a drill on a contingency plan, Andresen advises, “Go back and relook at the plan and say, ‘OK, we did this well. This didn't work. This needs to be improved.’”
Conducting a variety of drills and exercises for contingency plans is essential for organizations that want to be prepared for any potential risks. The following chart outlines different types of exercises that can test and improve your contingency plans.
| Type of Exercise | Description | Goal | Structure and Components | Required Resources |
| Walkthroughs, workshops, or orientation seminars | These are simple events that inform team members of an organization’s contingency plans. | To help team members become familiar with emergency response in general and understand their responsibilities in the contingency plan. | Contingency plan experts and panel discussions are used to provide information during presentations. | Presenter or presenters, often internal to the organization. |
| Tabletop exercises | These drills require team members to meet in a classroom setting to discuss their roles during an emergency, using hypothetical scenarios. | To help team members understand potential issues and problems that may arise during an actual event. | A facilitator presents hypothetical scenarios, and team members apply their knowledge and skills to problem-solve in real time. | An experienced facilitator – internal or external – and a conference room to conduct the exercise. |
| Functional exercises | These drills test a contingency plan by having team members simulate performing their duties that are part of the plan. | To test the functionality of various components and procedures within the contingency plan in order to identify areas that need improvement. | Exercise observers evaluate behavior and performance, and improvements are made to the plan. | A facilitator, increased planning, some location and other resources to create a more realistic simulation. |
| Full-scale exercises | These drills are designed to mimic a real event as closely as possible, with participants in the field where a real event might happen. | To provide a comprehensive understanding of the contingency plan and uncover any potential complications or problems with equipment and resources during a real event. | Full-scale exercises mimic actual damage that could occur, use actual resources, and may include the participation of other organizations and government agencies. | Significantly more resources and staff time to arrange and participate in a real-world simulation. In some cases, you will need to plan for participation from external groups and agencies. |
To achieve effective contingency planning, it is important to be aware of common challenges and pitfalls. One such challenge: organizations not allocating sufficient resources to planning and executing responses that are part of the plans.
These are some of the most common challenges and pitfalls to avoid:
The table below demonstrates the varying outcomes between a well-considered contingency plan and one that is less so. The consequences of these differing results can be significant for both the organization and the community.
Resource and Environment at Risk: An oil production facility has above-ground oil flowlines that run for 7,000 feet. The facility is located half a mile west of a major creek and six miles north of a river. The creek flows into the river, which flows into a town of 150,000 people located 12 miles away.
Contingency Plan Purpose: Detect and mitigate any significant oil leak from the facility's flowlines, with the goal of minimizing environmental damage. The plan places a special emphasis on preventing oil from reaching the nearby creek or river.
| Effective Contingency Plan Components | Result | Ineffective Contingency Plan Components | Result |
| Staff conducts line pressure and component checks every 12 hours to identify significant line leaks. | A major leak occurs in a flowline, leading to an automatic shutdown of the affected line. The changed pressure and other issues are detected within 4 hours of the leak, and response efforts begin at that point. | Line pressure and other components are checked by staff every 24 hours, but might not be sufficient to detect significant line leaks in a timely manner. | A rupture and leak from a single flowline are detected 8 hours after the leak begins, when the automatic line shutdown and significant amounts of oil spilled are noticed by others at the facility. Response begins at that point. |
| Plant ensures that every employee shift has a minimum of three trained personnel for spill response. | Trained employees take immediate action per the plan, including shutting down flowlines and notifying the plant's emergency response coordinator and other leaders. | Only a few of employees are trained on spill response and might not be available on every shift. | No trained employees are working the night shift when the leak is detected. Employees respond to the leak as quickly as possible but are delayed by communication among each other and with off-duty employees, leading to a 45-minute delay in the full shutdown of flowlines. It takes 75 minutes to reach the plant’s emergency response coordinator and other plant leaders. |
| Plant maintains equipment and materials to construct temporary trenches and mounds to stop leaked oil from moving toward the creek or river. | Within an hour of detecting the spill, crews start building trenches and mounds to contain the oil and prevent it from spreading beyond the plant area. | Contingency plan does not include any construction of trenches or mounds to limit oil movement toward the creek or river. | Significant quantities of leaked oil move outside the plant on its east side and toward the creek a mile aw ay. |
| Contingency plan mandates the deployment of floating booms across the creek downstream from the spill, and regular inspection of access points every three months for boom deployment. | Crews stand ready to deploy booms if needed, and initiate the process if any oil moves past the trenches and mounds. | Contingency plan calls for deployment of floating booms across the width of the creek downstream from the spill, but access points to the creek are not periodically inspected. | As the leaked oil moves toward and into the creek, crews discover that construction work on a bridge near the creek is limiting their access to deploy booms. They can only partially deploy booms in the creek. Plant and government officials later determine that about 100,000 gallons of oil moved down the creek and later into the river. |
A business continuity plan and a business contingency plan share some similarities, but a business continuity plan primarily focuses on how an organization can continue operations during an emergency, whereas a contingency plan addresses a broader range of risks.
Business contingency plans and project risk management plans both identify potential risks and determine ways to respond to them. The former focuses on risks to the entire organization, while the latter focuses on risks to a particular project.
In a project risk management plan, teams identify and assess possible risks to a specific project. It then determines how project leaders can respond to, eliminate, or mitigate those risks.
A business contingency plan identifies potential threats to an organization's ability to continue operating. It assesses risks that could temporarily or permanently halt operations, and then outlines plans to mitigate or eliminate those risks.
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
