Business contingency: How to plan for the unexpected

Read time: 3 mins Added: 19/12/2025

The risks businesses face are hard to anticipate and constantly evolving. In the past, there were concerns about the possibility of office fires or IT outages, but more recently we’ve seen the impact of disruption due to lockdowns, supply chain breakdowns and soaring energy costs.

This isn’t just an issue for large businesses; smaller businesses can also be disrupted by a hacked computer or a local power cut. However, if you identify and plan for these risks, your business has a better chance of surviving them. It starts with a robust business continuity plan.

Why you need a business continuity plan

Disasters and serious incidents such as flooding, fire, IT failure or the death of a key employee are relatively rare. But, as the saying goes, you should always ‘hope for the best, plan for the worst'.

A business continuity plan can provide a backup operational structure to get you through an unexpected crisis.

It can help you:

  • identify and manage threats to your business
  • reduce the impact of serious incidents
  • minimise downtime and improve recovery time.

Contingency planning can also protect your reputation if events take a turn for the worse. By responding promptly, you can reassure everyone that you are in control, your core business operations will continue, as will your communication with customers, the media and other stakeholders.

The benefits don’t end there. If your business is part of a supply chain, effective contingency planning is a competitive advantage.

Key risks to your business

There are different types of risk to identify as you make your contingency plans, you’ll need to consider these and other examples specific to your business:

  • Denial of people – pandemic, strikes, single point of failure
  • Denial of premises – fire, flood, police closures
  • Denial of supplier – administration, supply chain issues, cyber attacks
  • Denial of systems – cyber attack, mechanical failure.

To create a strong business contingency plan, you must first identify the main risks:

  • Damage to premises – including fire, flooding or a terrorist incident
  • Equipment failure – any machinery essential to your operation, from computers to delivery vehicles
  • Product failure – if they cause injury or have to be recalled
  • External issues – such as transport or mail strikes
  • Supplier problems – difficulties and delays involving your major suppliers that adversely affect your business
  • Staff problems – a pandemic or a key employee's death or serious illness
  • Reputational damage  – negative stories in the press or on social media
  • Radical changes in the business environment – for example, new laws or competitors
  • Legal threats – from liability claims to copyright issues
  • Cyber attacks – such as malware, hacking, data loss or ransomware attacks on your website

It’s impossible to prepare in detail for every eventuality. Bloomberg UK reported the coronavirus pandemic caused a 14% rise in UK business closures compared to the previous year.

The risks mentioned above are some of the most common, so it makes sense to plan for as many of these as you can

How to create your business contingency plan

You might feel you’ve got enough to do already without spending time drafting business continuity plans for things that may never happen. It’s easy to put off what might seem like non-essential tasks until another day. 
 

Here are three tips for getting started:
 

  • Set aside non-negotiable time in your diary
  • Involve your team to spread the load (if applicable)
  • Set a clear deadline for completion


Once you’ve got a list of relevant risks using the table above as a guide, the next step is to assess each risk individually. 
 

Create a matrix outlining the risks, scoring them on: 
 

  • How likely is this to happen?
  • The financial and practical impact of resolving it
  • Any subsequent legal or regulatory considerations
  • What impact will it have on employees, customers and suppliers? 


The next step is categorising your key facilities and processes and prioritising recovery plans for business-critical operations. 


Decide who and what will be affected and how
 

This involves listing all the people and organisations you’ll need to contact if a serious incident happens in your business. This should be as detailed as possible with the names and contact details of staff, customers and the following suppliers:
 

  • Your banking and insurance providers
  • Local contractors you may need, such as plumbers and electricians
  • IT and broadband companies
  • Utility companies - water, gas and electricity


It’s worth having a secure copy of this list saved in the cloud so it can be accessed when getting to your premises isn’t possible. 

Once your contingency plan is ready, testing and reviewing it at least annually is crucial. As your business grows and changes, there may be other risks you need to prepare for. 

 

Considerations for IT continuity

Businesses of all sizes can be vulnerable to cyber-attacks and IT outages. Cyber insurer Coalition recently claimed that smaller firms have become bigger targets for cyber attacks
 

Specific threats include ransomware with demands for payment and customer information stolen through hacking. 
 

Having a small section in your business contingency plan for your IT systems is not enough - you need a separate continuity plan. For example, are you able to securely back up and run your systems off-site, if necessary? Other steps you can take include: 
 

  • Provide staff training to minimise risks from apps, emails and devices. If you have people working remotely, this is even more critical
  • Think carefully about how much information you share about your IT systems and who has access to servers and passwords, and avoid single human points of failure 
  • Prevent system administrators from using system privileges for reading email or web access. This reduces the chance of hackers accessing accounts with wide system access
  • Ensure your employees know what to do when IT problems strike - this should be documented to make things clear and consistent

 

Learn how to stay one step ahead of cyber risk on our dedicated hub. 
 

Are your IT systems insured? 
 

Cyber Insurance can provide cover if your IT systems are subject to a data breach or cyber attack. Your policy could reimburse you for: 
 

  • Lost revenue
  • Fines and penalties
  • Legal expenses
  • Restoring data


Learn more about our business insurance cover. 

How to make your IT systems more resilient

  • Use a reputable antivirus software product and keep it up to date
  • Ensure you have a firewall activated between your network and the internet
  • Stress the importance of updating software and firmware promptly to your staff
  • Document your IT policies, so your employees know what’s expected of them
  • Encourage staff to use strong passwords and to update these frequently

    Ensure staff take particular care with the origin of: 
  • Apps
  • Website links or URLs
  • Plugins
  • USB drives
  • Ensure users have the right level of system access to do their jobs and no more
  • Use multi-factor authentication for key systems, so you don’t rely on one password
  • Carry out vulnerability scans and penetration tests – for example, by sending mock-phishing emails. Many providers support this
  • Put early-stage warning systems in place to alert you of any attacks
  • Check for any dependencies or single points of failure – particularly in business-critical systems. For example, ensure your web servers can cope with spikes in traffic, or you have spare equipment available in case of breakdown.

How to draft your business contingency timeline

Your continuity plan should cover several crucial stages:
 

  • What will happen in the immediate aftermath of a serious incident? 
  • How will your business respond and continue to function? 
  • What’s your recovery plan, and how long will it take to return to normal?



For each stage, focus on what you will need to do across the following areas:
 

  • Communications
  • Customers
  • Financial resources
  • Logistical and technical issues
  • Management
  • Premises
  • Supply chain


It may be more important for some areas of your business to resume quicker than others. It’s wise to think about the order of this and who will be responsible for each function. Different parts of your business may need separate recovery plans. 
 

Compile a communications strategy 

Depending on the profile of your business and the issues affecting it, you may find yourself dealing with the press. You should nominate a spokesperson in case the incident is newsworthy. Reinforcing confidence in your recovery is essential to managing major incidents.

Your contingency plan should be fully documented and agreed upon so everyone can return to normal as soon as possible. It should align with your business strategy and objectives and be credible.

Testing and reviewing your plans


In the aftermath of any business continuity incident, there are some vital steps to take: 
 

  • Identify the root causes of the disruption to see how it can be prevented in the future
  • Review of what happened and how well your recovery plan worked
  • Optimise your plan where applicable to improve your recovery in case of a repeat
  • Keep a record of your activity so that there is a log of the incident, the response and the lessons learned


It’s not a foregone conclusion that your business will be affected by any of these risks. However, it’s prudent to test and review your contingency plans regardless. 
 

  • Ensure your testing is as comprehensive as possible. It’s often the small details that catch people out
  • Put time in your calendar to review your continuity plan at regular intervals. It also makes sense to revisit when you make changes to your team or IT systems, for example document everything you learned from testing

Useful links

You may also be interested in

Business Insurance

Protect your business from day-to-day risks, including including equipment, property damage and liability claims.

More on Business Insurance

Manage Hub

A selection of guides and products to help with the day-to-day running of your operation – focusing on money and tax, insurance, and people.

Visit the hub