Business contingency planning

Business contingency planning probably isn’t at the forefront of your mind when running your company day-to-day. However, there’s no shortage of risks that could disrupt business as usual. For example: 

  • Fires and floods
  • IT problems/hacks
  • Supply chain delays 
  • Power cuts
  • Rising energy bills

These issues can come out of the blue, so being proactive now can help you identify and plan ahead. If the worst were to happen, you'd be prepared for how to react and give your business the best chance of survival. The first step is to create a robust business contingency plan, also known as a continuity plan.

Why do you need a business contingency plan?

The COVID-19 pandemic and its impact on businesses of all sizes showed how vital it is to be prepared for anything. Smaller, more localised events such as those listed above can still cause huge problems if you’re taken by surprise. 

A detailed business contingency plan will provide you with a clear structure and roadmap for what to do in a crisis. So, what are the benefits? 

  • Identify and manage threats that could negatively impact your business
  • Reduce the financial and operational impact of serious incidents
  • Speed up your recovery time 

When employees, customers and suppliers rely on you, effective continuity planning can also help minimise reputational damage and give you a competitive advantage over those who haven’t put anything in place. 

To create a strong business contingency plan, you must first identify the main risks:

  • Damage to premises – including fire, flooding or a terrorist incident
  • Equipment failure – any machinery essential to your operation, from computers to delivery vehicles
  • Product failure – if they cause injury or have to be recalled
  • External issues – such as transport or mail strikes
  • Supplier problems – difficulties and delays involving your major suppliers that adversely affect your business
  • Staff problems – a pandemic or a key employee's death or serious illness
  • Reputational damage  – negative stories in the press or on social media
  • Radical changes in the business environment – for example, new laws or competitors
  • Legal threats – from liability claims to copyright issues
  • Cyber attacks – such as malware, hacking, data loss or ransomware attacks on your website

It’s impossible to prepare in detail for every eventuality. Bloomberg UK reported the coronavirus pandemic caused a 14% rise in UK business closures compared to the previous year.

The risks mentioned above are some of the most common, so it makes sense to plan for as many of these as you can

How to create your business contingency plan

You might feel you’ve got enough to do already without spending time drafting business continuity plans for things that may never happen. It’s easy to put off what might seem like non-essential tasks until another day. 

Here are three tips for getting started:

  • Set aside non-negotiable time in your diary
  • Involve your team to spread the load (if applicable)
  • Set a clear deadline for completion

Once you’ve got a list of relevant risks using the table above as a guide, the next step is to assess each risk individually. 

Create a matrix outlining the risks, scoring them on: 

  • How likely is this to happen?
  • The financial and practical impact of resolving it
  • Any subsequent legal or regulatory considerations
  • What impact will it have on employees, customers and suppliers? 

The next step is categorising your key facilities and processes and prioritising recovery plans for business-critical operations. 

Decide who and what will be affected and how

This involves listing all the people and organisations you’ll need to contact if a serious incident happens in your business. This should be as detailed as possible with the names and contact details of staff, customers and the following suppliers:

  • Your banking and insurance providers
  • Local contractors you may need, such as plumbers and electricians
  • IT and broadband companies
  • Utility companies - water, gas and electricity

It’s worth having a secure copy of this list saved in the cloud so it can be accessed when getting to your premises isn’t possible. 

Once your contingency plan is ready, testing and reviewing it at least annually is crucial. As your business grows and changes, there may be other risks you need to prepare for. 


Considerations for IT continuity

Businesses of all sizes can be vulnerable to cyber-attacks and IT outages. Cyber insurer Coalition recently claimed that smaller firms have become bigger targets for cyber attacks

Specific threats include ransomware with demands for payment and customer information stolen through hacking. 

Having a small section in your business contingency plan for your IT systems is not enough - you need a separate continuity plan. For example, are you able to securely back up and run your systems off-site, if necessary? Other steps you can take include: 

  • Provide staff training to minimise risks from apps, emails and devices. If you have people working remotely, this is even more critical
  • Think carefully about how much information you share about your IT systems and who has access to servers and passwords, and avoid single human points of failure 
  • Prevent system administrators from using system privileges for reading email or web access. This reduces the chance of hackers accessing accounts with wide system access
  • Ensure your employees know what to do when IT problems strike - this should be documented to make things clear and consistent


Learn how to stay one step ahead of cyber risk on our dedicated hub. 

Are your IT systems insured? 

Cyber Insurance can provide cover if your IT systems are subject to a data breach or cyber attack. Your policy could reimburse you for: 

  • Lost revenue
  • Fines and penalties
  • Legal expenses
  • Restoring data

Learn more about our business insurance cover. 

How to make your IT systems more resilient

  • Use a reputable antivirus software product and keep it up to date
  • Ensure you have a firewall activated between your network and the internet
  • Stress the importance of updating software and firmware promptly to your staff
  • Document your IT policies, so your employees know what’s expected of them
  • Encourage staff to use strong passwords and to update these frequently

    Ensure staff take particular care with the origin of: 
  • Apps
  • Website links or URLs
  • Plugins
  • USB drives
  • Ensure users have the right level of system access to do their jobs and no more
  • Use multi-factor authentication for key systems, so you don’t rely on one password
  • Carry out vulnerability scans and penetration tests – for example, by sending mock-phishing emails. Many providers support this
  • Put early-stage warning systems in place to alert you of any attacks
  • Check for any dependencies or single points of failure – particularly in business-critical systems. For example, ensure your web servers can cope with spikes in traffic, or you have spare equipment available in case of breakdown.

How to draft your business contingency timeline

Your continuity plan should cover several crucial stages:

  • What will happen in the immediate aftermath of a serious incident? 
  • How will your business respond and continue to function? 
  • What’s your recovery plan, and how long will it take to return to normal?

For each stage, focus on what you will need to do across the following areas:

  • Communications
  • Customers
  • Financial resources
  • Logistical and technical issues
  • Management
  • Premises
  • Supply chain

It may be more important for some areas of your business to resume quicker than others. It’s wise to think about the order of this and who will be responsible for each function. Different parts of your business may need separate recovery plans. 

Compile a communications strategy 

Depending on the profile of your business and the issues affecting it, you may find yourself dealing with the press. You should nominate a spokesperson in case the incident is newsworthy. Reinforcing confidence in your recovery is essential to managing major incidents.

Your contingency plan should be fully documented and agreed upon so everyone can return to normal as soon as possible. It should align with your business strategy and objectives and be credible.

Testing and reviewing your plans

In the aftermath of any business continuity incident, there are some vital steps to take: 

  • Identify the root causes of the disruption to see how it can be prevented in the future
  • Review of what happened and how well your recovery plan worked
  • Optimise your plan where applicable to improve your recovery in case of a repeat
  • Keep a record of your activity so that there is a log of the incident, the response and the lessons learned

It’s not a foregone conclusion that your business will be affected by any of these risks. However, it’s prudent to test and review your contingency plans regardless. 

  • Ensure your testing is as comprehensive as possible. It’s often the small details that catch people out
  • Put time in your calendar to review your continuity plan at regular intervals. It also makes sense to revisit when you make changes to your team or IT systems, for example document everything you learned from testing

We’re here for Scottish business, big and small.