Contingency planning

Good business management means planning for when things go wrong, as well as when things go right. Disasters and serious incidents such as flooding, fire or the death of a key employee are relatively rare, but they do happen. By identifying possible risks to your business and using them to make a contingency plan, you can ensure your business continues to survive and thrive after a crisis.

Every business faces challenges but it is how well you deal with them – particularly in a crisis – that makes the difference. Having a robust plan in place beforehand can make things easier and faster to deal with when problems arise.

Why have a contingency plan?

There will always be evolving risks that are tricky to anticipate but drawing up contingency plans for a plan ‘B’ means you are ready to switch to an alternative plan should the need arise. Continuity is not just an issue for larger organisations. Smaller businesses also need to be able to survive a major disruption. Having a proactive approach can help you:

  • identify and manage threats to your business
  • reduce the impact of incidents
  • minimise downtime and improve recovery time.

Having a good contingency plan can put you in a stronger place when trying to win new business compared with a competitor that is not so well prepared. It can also help you ensure the robustness of your supply chain when looking for potential new suppliers.

It’s worth knowing that more than 40% of businesses affected by the Manchester Arena bombing went out of business never to return*. So make sure you are part of the majority of resilient survivors.

Contingency plans can also help protect your reputation when things go wrong. You can put your plan into action straight away and stakeholders and commentators can see that you are taking positive action from the off. Your essential business operations will be able to continue, you’ll be able to communicate effectively with customers, the media if necessary and other key stakeholders.

 Key risks to your business

There are three types of risk to identify as you make your contingency plans:

  1. A major disaster that immediately prevents normal business.
  2. A gradually worsening situation that makes it difficult to operate normally.
  3. A series of smaller events happening simultaneously.

Risks to consider include:

  • Physical problems – things that might physically damage your property such as fire or flooding.
  • Equipment failure – any machinery which is essential to your operation including computers and delivery vehicles.
  • Product failure – if your products cause injury or have to be recalled.
  • External issues – such as a transport strike preventing you from getting a delivery to a key client.
  • Supplier problems – difficulties involving your major suppliers are likely to adversely affect your business too.
  • Staff problems – including the death or serious illness of a key employee or a pandemic which prevents staff from coming into work.
  • Public relations – negative feedback about your company, including on social media sites.
  • Radical changes in the business environment – such as a highly aggressive or disruptive competitor moving into your area or doing things a new way. 
  • Legal threats – from liability claims to copyright issues.
  • Cyber attacks - such as malware, hacking, loss of data and denial of service or ransomware attacks on your website.

 Drawing up your contingency plan

When you are busy, it can be easy to put off drawing up contingency plans. But being prepared is invaluable in the long term. Put time in the diary to do it or maybe create a small project team to be responsible. Set targets and put deadlines in place so it isn’t forgotten. Involve your staff as they will have a good idea of what would be needed to overcome a wide variety of issues.

  • Make a list of all the possible risks to your business, however unlikely.
  • For each of your risks make a note of how likely that risk will may occur and the impact it will have if it did occur. Make sure you understand which operations are mission critical to the running of your business and that way you can prioritise appropriately.
  • Decide who/what will be affected in each eventuality and how.
  • Make a list all the people and organisations that you will need to contact in the event of a serious incident with their contact details, e.g. your staff, your customers, your bank, your insurers and your suppliers, as well as details of plumbers, electricians etc. Ideally this list should be cloud-based or accessible from anywhere so you don’t have to rely on getting into your premises to find it. 
  • Identify which risks are insurable and check that you have adequate cover. As well as protection against fire, flood and theft you can also insure against the death or illness of a key person in your business or the legal costs of protecting your intellectual property. Insurance companies may reduce your premium if you have a contingency plan in place.
  • Minimise the impact of serious incidents as far as possible. Make sure that you have adequate emergency call-out arrangements covering your essential equipment, for example.

Make use of the Government’s Business Continuity Management Toolkit as a starting point for creating your plans.

Alternatively, there is a British Standard for continuity management ISO 22301 which is specially designed for small and medium-sized businesses. You could consider using that option if you want some external expert help in drawing up and putting a plan in place.

 What else to include in your contingency plan

Your contingency plan should cover several stages:

  • What will happen immediately after a serious incident
  • How your business will continue
  • How it will get back to full strength and how long this might take. 

For each stage, focus on what you will need to do at that point from areas including management, financial resources, logistical and technical responses, supply chain, customers, premises, communications and coordination and so on – specific to your business.

Set out the order in which business functions will be resumed and who will be responsible for doing what.

You may need to make specific recovery plans to cover different risks, such as for disruptions to IT and telephony. Most businesses these days are highly reliant on computer systems so also have a look at our guide to building in resilience to your IT systems.

Draw up appropriate communications plans to deal with incidents. These can range from getting in touch with staff to trigger your contingency plans to briefing the press. Consider nominating someone as a spokesperson or have details of an industry PR company to hand, in case your business is caught up in an incident that is newsworthy. Reinforcing confidence in your business’s ability to recover is an essential element in organisations weathering problems successfully.

Make sure your plan is fully documented and agreed so everyone can follow the plan to get back to normal as quickly as possible. Check that you plan aligns to your strategy and objectives so it is focussing on the right things and is credible. It will help prevent any wasted effort at a crucial time. 

Testing your plans

Once you’ve put your plan together, make sure your managers and staff are familiar with it and they understand what their roles will be. Test your plans as much as possible, learn from any minor incidents and gather feedback, then use the lessons learned to improve them. 

Keeping your plans safe

Copies of your plans should be stored away from the workplace to keep them safe. Make sure that plans are kept up to date – note any new risks and keep contact details updated. For example, if there are major changes in legislation that affect your business, then make sure any contingency plans are updated to take account of these.

While all reasonable care has been taken to ensure that the information provided is correct, no liability is accepted by Bank of Scotland for any loss or damage caused to any person relying on any statement or omission. This is for information only and should not be relied upon as offering advice for any set of circumstances.  Specific advice should always be sought in each instance.

Digital Knowhow

Practical guides to help improve your digital skills and business performance.

IT resilience and disaster recovery

Most businesses are highly reliant on their computer system. Having a disaster recovery plan in place can minimise any disruption. 

Business Insurance

Running a business can be difficult, protecting it shouldn’t be.