Contingency plan – how to plan for the unforeseen

2 February 2023 / Article

What’s the system dependency like at your company, and how long would your organisation cope if critical functions went down? The outside world is an ever more uncertain place. The ongoing war in Ukraine, energy shortages in Europe, and an increased cyber threat against companies worldwide are just some of the factors that could pave the way for a situation in which an organisation’s access to critical systems and functions is taken down. In a scenario such as this, a customised contingency plan is critical in terms of limiting the negative consequences. But what should a contingency plan include, and where do you start?

What is the aim of a contingency plan?

The overall aim of a contingency plan is to ensure that serious incidents and emergencies that may impact an organisation are managed efficiently. The key phrase here is “efficient management” because when a crisis occurs, efficient management is critical to the outcome of the crisis. A substantial part of the planning work involves ensuring continuity in the day-to-day activities of the company during a crisis – and keeping the operations running effectively.

When a crisis hits, it’s common for tunnel vision to develop, with everyone focusing on the immediate emergency, even when that isn’t necessarily the best thing for the organisation. If a ship starts taking on water, having the entire crew drop everything they’re doing to start baling out is not the optimum approach. You need to make sure someone still has their hand on the rudder, that the cook is still in the galley cooking meals for the crew so that they have the energy they need to work overtime, and – not least – that someone is working to seal the hole. If everyone exhausts themselves doing the same thing, endurance levels will not be particularly high.

In times of a crisis a considerable amount of uncertainty will spread throughout the organisation. It’s then that having a plan that includes an organisational description, division of responsibilities, and specific duties at an individual level is a real help in generating a sense of security for employees and managers alike. A crisis also means that a lot of decisions must be made in a short period of time, so if several of these decisions have already been taken in advance when working on the contingency plan, the chances of substantially improving the crisis management are vastly increased. So rather than the crisis manager’s focus being on deciding on meeting rooms, who is responsible for contacting relatives, who’s providing food, who’s going to draw up a press release, etc., they can focus on the important strategic decisions.

How do you draw up a contingency plan?

When drawing up a contingency plan, you should start by mapping the company’s critical functions, their associated systems, and what the consequences will be if they are taken down in one way or another. The technical term for this is a Business Impact Analysis, or BIA for short. The results of the work done during this analysis can – and should – then form the basis for much of the contingency planning.

Working on a BIA can feel demanding because it’s a wide-ranging process. If the organisation has no contingency plan at all, the first priority should be on drawing one up that focuses on the most important issues. Once that’s in place, you can develop and extend the work.


Content and structure of a contingency plan

There is no absolute truth when it comes to what a contingency plan should include or how it should be structured: rather it should be customised in line with every organisation’s unique conditions. There are, however, certain elements on which there is a consensus, and which it might be wise to include. See below for a structure and the elements that a contingency plan should, at a minimum, include:

1. The plan’s objectives

You should start by defining the objectives of the plan you are drawing up. It should be clear why the plan exists, what areas it covers, and how it should be used.

It’s not uncommon in large and more complex organisations to draw up multiple contingency plans with different objectives. So, there might be both continuity plans for IT systems and other critical functions, as well as plans for handling alternative directions in conjunction with the provision of services for customers, or a specific contingency plan for managing threat situations.

2. Mandate and authority

The crisis management team’s mandate and authority in connection with the crisis management work should be clearly described. The Crisis Manager and other roles in the crisis management team need clear authority if they are to take decisions effectively.

Time is a critical factor in emergencies, so you want to avoid a situation where the crisis management team needs to gain support and external approval for various decisions in connection with the crisis management work. You can eliminate this problem by ensuring that the contingency plan clearly describes different roles’ mandate and authority.

3. Organisation and duties/actions

The crisis organisation now needs to be defined in terms of roles, associated areas of responsibility, and duties. It’s a good idea to base this definition on the following fundamental principles:

The responsibility principle

The part of the organisation that is responsible for a specialist area under normal conditions shall be responsible for that area during a crisis situation, too. It should also be responsible for putting the requisite contingency preparations in place and for handling extraordinary incidents in its area.

The equality principle

The organisation should, in principle, be as like the everyday organisation as possible during a crisis. A major reorganisation during times of crisis creates unnecessary confusion and you should endeavour, instead, to ensure that the organisation will operate and function in the same way as under normal conditions.

What’s “familiar” is what feels “safe”, particularly during crises, so try to maintain the same, familiar organisation during crises as under normal circumstances.

The proximity principle

A crisis should be managed where it happens and by the people who are immediately affected and responsible. As a rule of thumb, organisationally speaking, crises should be managed at the lowest possible level.

Don’t let the management group, who under everyday conditions take decisions at a strategic level, become “doers” in the crisis organisation. The management group should meet and take decisions at regular intervals and let the professionals work with and manage the operational aspects of the crisis.

The cooperative principle

Both public sector operators, such as official bodies, and private organisations have an independent responsibility to ensure optimum collaboration with other affected parties in their work with contingency planning and crisis management. In practical terms, this means that you need to draw up resource lists with details of relevant authorities, suppliers’ contact persons, and clients and other stakeholders who you may need to contact when handling a crisis.

4. Communication

Communication plays a key role in every crisis and can rapidly improve or worsen a crisis situation, depending on how it’s handled. It’s important, therefore, that the contingency plan describes how the communication will work, who is responsible for preparing the communication message, and which channels should be used for the communication.

If you look at crises in the political arena, with government authorities or large organisations, major downfalls are often caused by deficient communication. Confidence is important, whatever the sector in which your organisation operates, and the consequences can be dire if this confidence is damaged by inaccurate or inadequate information. Be open and transparent, use clear, simple language, and make sure you take ownership of the communication message before it becomes known to your clients or is covered in the media.

Employees and/or their families are another group, over and above your clients, who have a real need for information but who can quickly be forgotten in the heat of a hectic crisis management process. The same principles apply here: be quick and precise in your messaging, say what you know and what you don’t know.

5. Action cards

Action cards are a kind of aide-memoire for the actions you need to take during a crisis situation and act as a tool both for generating a feeling of security amongst those involved in the crisis organisation and for ensuring early, effective action when a crisis hits. Action cards often consist of a simple role description, clear delineation of areas of responsibility, checklists for duties, and relevant phone numbers – all presented in a simple format. You should ensure that action cards are provided for all key roles within the defined crisis organisation and append them to the contingency plan.

Finally, you need to think about making contingency plans and action cards accessible, and not simply storing them somewhere in SharePoint or some other file server that might become inaccessible in the event of a power cut or when your IT goes down. Make sure that physical copies of the contingency plan have been printed out and that the crisis organisation employees have PDF versions of their action cards on their laptops or phones.


Does your company need help reviewing its system dependencies and help building up a solid contingency plan? Get in touch! 


Tags: Cyber Security
Image Alt Text

Let's bring yellow to your business!

Whatever digital transformation means for you, at Iver it's in our nature to find your best path to the cloud.