Create a Contingency Plan That Works

Transcript

[Presenter] Contingency planning isn't just about handling major crises. It can also prepare you for more commonplace problems such as data loss, cybersecurity alerts, or staff illness.

If you make contingency planning a routine part of the way you work, you'll always have a backup option when things go wrong. Here's how to develop one.

Risk Assessment

First, conduct a risk assessment. This should include three key sections.

Start by listing your business-critical operations. These are the key processes and functions your organization needs to operate. For example, your supply chain, your internet connection, or your ability to comply with legal standards.

Then identify the threats that could harm each of these critical operations. For example, the loss of key staff, or a cyber attack on your website.

Then, analyze the impact of each risk and estimate how likely it is to happen. Processes that are essential to your organization's survival, like maintaining cash flow should be at the top of your list.

Now you've assessed and analyzed the risks, it's time to draw up your contingency plan in case any risks become a reality. Here are the key elements to include.

Scenarios

Using your risk assessment, choose the most damaging and most likely scenarios that you want to plan for. Then map out what should happen in each case.

Include a broad range of scenarios. For example, cyber-attacks, extreme weather, loss of key suppliers, or structural problems with your business premises.

Triggers

Specify the triggers that will cause you to put your plan into action. For example, if you have a plan for a cyber attack, will it be triggered by any suspicious activity? Or only by a confirmed attack? One event could have multiple triggers.

Response Overview

Include a summary of the strategy that you will follow in response to the event. This provides a context for the actions that you'll ask people to take.

In the example of a cyber attack, you might ask people to shut down computers or remove certain apps or software.

People to Inform

Identify the people who need to know about what's happened, too. For example, employees, suppliers, customers, and the wider public, as appropriate.

Also, make sure that you're aware of your legal obligations, and that any incidents are reported to the relevant authorities, where necessary.

Key Responsibilities

Define who's responsible for each element of the plan. Who's in charge at what stage? And what will you expect them to do?

A cyber attack would involve your tech team at an early stage, for example, with clear actions to perform.

Timeline

State what needs to be done within the first hour, day and week of the plan being implemented. You may need more detailed timelines for certain situations, such as data breaches, serious injuries, or leaks of hazardous materials.

Also, include details of when and how you'll expect normal business to resume after the risk has been removed or overcome. A cyber attack, for example, would need a clear, step-by-step timeline, from initial detection to the final all-clear.

Let's recap.

Things can and do go wrong, but having a contingency plan in place means you'll be able to deal with unexpected events calmly and decisively.

To develop a contingency plan, you should first conduct a risk assessment to identify the biggest threats to your business. Then draw up contingency plans for these high-risk situations, considering different scenarios, triggers, your immediate response, who needs to be involved, and a timeline of events.

When you have a good contingency plan in place, you'll feel safe and secure in the knowledge that, if things do go wrong, you'll know exactly what to do to make it right again.