Based on your business continuity threat and risk assessment, what are the most concerning natural, technological, or manmade potential threats to your business?
For businesses located along the San Andreas fault line in California, it might be a major earthquake (a 19% chance in the next 30 years). For companies in Florida, it might be a hurricane (a 61% chance). For those in New York City, it could be a terrorist attack (threat levels change daily).
And for some businesses across the U.S., particularly for those in rural areas, the greatest concern might be losing internet access for an extended period of time.
That’s where your contingency plans come in. Don’t have any? You should. Let’s take a closer look at what contingency planning is and how it’s different than business continuity.
“Contingency planning” and “business continuity” are often-confused terms. They are similar in meaning—both are intended to enable organizations to continue operations in the event of a crisis—but the details of both concepts differentiate them.
Business continuity encompasses a range of activities that revolve around one central question: Could you maintain business as usual in the face of a disruption? It includes the writing of business recovery plans—plans that provide direction on the steps to take should a disruption ever occur.
Intended to cover a broad range of disruptive scenarios, recovery plans are tailored to address the impact of an event rather than a specific event itself—for instance, not the loss of your workplace due to a hurricane specifically, but the loss of your workplace due to any unexpected event.
Contingency planning, on the other hand, addresses survival in the face of specific types of events—those that present the greatest threat to the survival of your business (like hurricanes, earthquakes, terrorist attacks, etc.). The contingency plan acts as a reference guide for business leaders, laying out instructions to follow should these particular events ever occur. Many city governments, for example, have contingency plans for events that have a higher likelihood of occurring—anything from floods to power outages to energy shortages. Contingency plans are written with a greater level of detail than recovery plans (i.e., 10 things employees should do before they evacuate the building due to a hurricane vs. simply a general directive to evacuate the building should the need arise), but both sets of directives go hand-in-hand.
Even if you have business continuity plans, it’s smart to create contingency plans as well because of the high level of risk posed by certain scenarios.
To determine the type of contingency plans you need, start by performing a Business Impact Analysis (BIA). The BIA identifies your organization’s most critical business units and processes—information that will help ensure your contingency plans support the right components for survival.
Next, conduct a threat and risk assessment to identify conditions or situations that may cause a business process outage, and then determine the probability of those risks occurring. From the threats listed, pinpoint those that have:
These are the scenarios for which you need contingency plans. (Even if an event has a low probability of occurring but would have a catastrophic impact should it take place, it’s wise to create a contingency plan.) They pose the highest-level of risk to your organization, which is why it’s important to be well-prepared.
BCMMetrics™ can help you get the necessary information to start creating effective contingency plans for your business, without hiring outside help. Our BIA On-Demand (BIAOD) tool gives you all the right questions to ask to accurately identify your company’s most critical processes and their dependencies. And the Residual Risk (R2) tool helps measure and assess risk factors and the threat landscape for your organization. There’s no software to install; it’s all cloud-based and secure, so you can get started right away.