Contingency Planning

1. Introduction

Definition:
A contingency plan is a proactive strategy to address unexpected disruptions (e.g.,
cyberattacks, power outages, data breaches) and ensure business continuity. It is
often called "Plan B" and aligns with Business Continuity (BC), Disaster Recovery (DR),
and Risk Management.

Key Objectives:

• Minimize downtime and financial losses.

• Protect critical data and systems.

• Maintain stakeholder confidence.

Why It Matters:

• Example: The COVID-19 pandemic highlighted the need for remote-work

contingencies.

• Regulatory Compliance: NIST SP 800-34 (IT Disaster Recovery) mandates

contingency plans for federal systems.
Example of a contingency plan
• A contingency plan can focus on one specific part of an organization's
operations. For example, it can be the measures taken to back up all critical
data. Another example would be work-from-home provisions put in place in
case a facility is out of commission.
• The COVID-19 pandemic demonstrated to many organizations the importance
of having comprehensive contingency plans in place across an organization
prior to an unplanned event. Companies with adequate plans were able to react
faster when the pandemic started to escalate.
•
• Please see this video (What is Business Continuity Planning).
https://youtu.be/ZetTrqWFE_w
•

• The COVID-19 pandemic provided a good example of how important contingency planning is.

2. Contingency Planning vs. Related Concepts

ASPECT RISK MANAGEMENT CONTINGENCY CRISIS

PLANNING MANAGEMENT

FOCUS Proactive prevention Prepared response Reactive emergency

handling
When Before risks occur After risks are identified During/after a crisis
Activated unfolds
Key Actions Identify, assess, mitigate risks Develop backup plans, Contain damage,
train teams communicate
Example Firewall updates, staff training Data backups, alternate PR statements,
workflows system recovery
Key Takeaways:

1. Risk Management: "Stop bad things from happening."

2. Contingency Planning: "Plan how to handle bad things if they happen."

3. Crisis Management: "Fix things when they’ve already gone bad."

2. Five Components of a Contingency Plan

[ ] BIA Identify critical systems

[ ] BCP Keep operations running
[ ] Policy Statement Define roles & scope
[ ] DRP Restore IT infrastructure
[ ] Testing Simulate & refine plans
3. Key Components of a Contingency Plan

3.1. Business Impact Analysis (BIA):

Business Impact Analysis (BIA) is a process that helps identify

the most important business functions and the potential effects of
disruptions on those functions. It determines which systems and data
are critical for day-to-day operations.

EXAMPLE:

Imagine your school suddenly loses internet access. Which

services must resume first—student records, online class platforms,
or email? BIA answers that by listing all activities and deciding which
ones are urgent. It helps in planning how soon to recover each
activity and what resources are needed.

Key Concepts:

• Identifies critical services

• Estimates downtime impacts (financial, operational, legal)

• Sets Recovery Time Objectives (RTO) and Recovery Point

Objectives (RPO)

3.2. Disaster Recovery Planning (DRP):

The DRP outlines procedures for restoring IT infrastructure

and systems after a major disruption or disaster, focusing on the
technical aspects of recovery.

EXAMPLE:

Think of this like creating a plan to fix your computer and

restore all your project files after a virus attack. DRP is that plan, but
for an entire organization’s computers and data.

Key Concepts:

• Backing up important data regularly

• Identifying alternate locations for IT services

• Step-by-step instructions to restore systems

3.3. Business Continuity Planning (BCP):

BCP focuses on keeping the business running even when

problems occur. It includes both IT and non-IT activities that are
essential for day-to-day operations.

EXAMPLE:
 If your school floods and the computer lab is down, BCP
ensures classes still happen—maybe through printed materials or
transferring students temporarily to another room. It keeps services
going even without access to normal resources.

Key Concepts:

• Alternative methods for continuing services

• Temporary relocation plans

• Essential roles and responsibilities

3.4. Testing Contingency Plan (CP):

Testing ensures that the contingency plan actually works and

that everyone knows their role in a real emergency. This includes
different types of practice drills.

EXAMPLE:

Like a fire drill at school, this is practice for when something

goes wrong with technology or services. It helps find weak spots in
the plan.

Key Concepts:

• Tabletop exercises (discussion-based)

• Simulations (mock incidents)

• Full-scale testing (real-time drills)

• Reviewing what went right or wrong

3.5. Contingency Planning Policy Statement:

This is an official document that outlines why contingency

planning is important, who is in charge, and what the plan will cover.

EXAMPLE:

It’s like a class syllabus for contingency planning. It explains

the goal of the plan, who should do what, and how everyone is
expected to follow the procedures.

Key Concepts:

• Defines roles and responsibilities

• Sets scope and goals

• Establishes management support

4. Step-by-Step Contingency Plan Development

1. Risk Identification (e.g., cyberattacks, hardware failure).

2. Risk Assessment (Rate severity/likelihood: High/Medium/Low).

3. Prioritize Risks (Focus on High Severity + High Likelihood).

4. Develop Action Plans (Include triggers, roles, timelines).

5. Approve & Share (Get leadership buy-in; store plans centrally).

6. Test & Update (Conduct drills; revise post-incident).

How to write a contingency plan
Having a plan in place can significantly impact outcomes when things go
awry. This step-by-step contingency planning guide breaks down how to make a
contingency plan that keeps the business prepared for anything—from operational
hiccups to major disruptions. Whether they're dealing with cybersecurity threats or
supply chain issues, this guide will help you stay ahead and minimize downtime.

1. Make a list of risks

Before resolving the risks, the first need is to identify them. Start by making a
list of any and all risks that might impact the company.

Remember: there are different levels of contingency planning—you could be

planning at the business, department, or program level. Make sure your
contingency plans are aligned with the scope and magnitude of the risks you’re
responsible for addressing.

A contingency plan is a large-scale effort, so hold a brainstorming session with

relevant stakeholders to identify and discuss potential risks. If you aren’t sure
who should be included in your brainstorming session, create a stakeholder
analysis map to identify who should be involved.

2. Weigh risks based on severity and likelihood

You don’t need to create a contingency plan for every risk you lay out. Once
you outline risks and potential threats, work with your stakeholders to identify
the potential impact of each risk.
Evaluate each risk based on two metrics: the severity of the impact if the risk
were to happen and the likelihood of the risk occurring. During the risk
assessment phase, assign each risk a severity and likelihood—we recommend
using high, medium, and low.
3. Identify important risks
Once you’ve assigned severity and likelihood to each risk, it’s up to you and
your stakeholders to decide which risks are most important to address. For
example, you should definitely create a contingency plan for a risk that has high
likelihood and high severity, whereas you probably don’t need to create a
contingency plan for a risk that has low likelihood and low severity.
You and your stakeholders should decide where to draw the line.

4. Conduct a business impact analysis

 A business impact analysis (BIA) is a deep dive into your operations to
identify exactly which systems keep your operations ticking. A BIA will help you
predict what impact a specific risk could have on your business and, in turn, the
response you and your team should take if that risk were to occur.
Understanding the severity and likelihood of each risk will help you determine
exactly how you will need to proceed to minimize the impact of the threat to your
business.
For example, what are you going to do about risks that have low severity but
high likelihood? What about risks that are high in severity but relatively low in
likelihood?
Determining exactly what makes your business tick will help you create a
contingency plan for every risk, no matter the likelihood or severity.

5. Create contingency plans for the biggest risks

Create a contingency plan for each risk you’ve identified as important. As
part of that contingency plan, describe the risk and brainstorm what your team will
do if the risk comes to pass. Each plan should outline all the necessary steps to
resume normal business operations.
Your contingency plan should include information about:
• The triggers that will set this plan into motion
• The immediate response
• Who should be involved and informed?
• Key responsibilities, including a RACI chart if necessary
The timeline of your response (i.e. immediate things to do vs. longer-term
things to do)
6. Get approval for contingency plans
Make sure relevant company leaders know about the plan and agree with
your course of action. This is especially relevant if you’re creating team- or
department-level plans. By creating a contingency plan, you’re empowering your
team to respond quickly to a risk, but you want to make sure that course of action
is the right one. Plus, pre-approval will allow you to set the plan in motion with
confidence—knowing you’re on the right track—and without having to ask for
approvals beforehand.

1. Share your contingency plans

 Once you’ve created your contingency plans, share them with the right
people. Make sure everyone knows what you’ll do, so if and when the time comes,
you can act as quickly and seamlessly as possible. Keep your contingency plans in
a central source of truth so everyone can easily access them if necessary.
Creating a project on a work management platform is a great way of
distributing the plan and ensuring everyone has a step-by-step guide for how to
enact it.

8. Monitor contingency plans

Review your contingency plan frequently to make sure it’s still accurate.
Take into account new risks or new opportunities, like new hires or a changing
business landscape. If a new executive leader joins the team, make sure to surface
the contingency plan for their review as well.

9. Create new contingency plans (if necessary)

It’s great if you’ve created contingency plans for all the risks you found, but
make sure you’re constantly monitoring for new risks. If you discover a new risk
and it has a high enough severity or likelihood, create a new contingency plan for
that risk. Likewise, you may look back on your plans and realize that some of the
scenarios you once worried about aren’t likely to happen or, if they do, they won’t
impact your team as much.
CONTINGENCY PLAN BASED ON SEVERITY AND LIKELIHOOD OF RISKS
EXAMPLE ON HOW TO WRITE A CONTINGENCY PLAN

Contingency Plan : Capstone Project Disruption – Online Enrollment

System
Project Title : Development of an Online Enrollment System for Camiguin
Polytechnic State College
Team : BSIT 3rd Year BSIT Students
Prepared by : Group 1
Date : April 5, 2025

1. List of Identified Risks

Risk ID Risk Description

R1 Laptop/PC crashes causing data loss
R2 GitHub repository access issue
R3 Internet outage during system presentation/demo
R4 Group member gets sick or drops out
R5
Database corruption or loss of test data
R6 Unexpected adviser unavailability (approval delay)
R7 Cybersecurity breach (malware/ransomware infection)

2. Risk Assessment – Severity and Likelihood

 Risk ID Severity Likelihood Examples

R1 High High File corruption, system crash

GitHub password lost, access

R2 Medium Medium
revoked

Power/internet outage during

R3 Medium High
final presentation

R4 High Medium Medical or personal emergency

R5 High Medium Test DB corruption, lost backup

Unavailable adviser during

R6 Medium Medium
defense week

Online system gets

R7 High Low
attacked/hacked

3. Important Risks to Address

Based on the severity and likelihood:

PLAN REQUIRED R1, R3, R4, R5

Consider planning R2 and R6
Generalized plan R7 (low likelihood, high severity)

4. Business Impact Analysis

The Online Enrollment System is crucial to the digital transformation of enrollment
processes. Disruptions may:
• Delay project completion and graduation eligibility.
• Impact stakeholders’ (faculty/students/admin) confidence in the system.
• Lead to data loss, requiring redevelopment or re-testing.

5. Contingency Plans for Key Risks

Risk ID ISSUE
R1 Laptop/PC Crashes Causing Data Loss
Trigger Device becomes unresponsive; code or docs lost.
 Immediate Response Stop use, attempt file recovery.
People Involved Dev team, documentation lead, faculty adviser.
Responsibilities

Team Lead Report to adviser.

Devs Recover from Git or Google Drive backup.
Timeline

0–2 hrs Identify problem

2–4 hrs Recover files
Within 24 hrs Resume work from last backup.
Preventive Weekly Google Drive + GitHub backups.

Risk ID ISSUE
R3 Internet Outage During System Presentation
Trigger Network loss during live demo/defense.
Immediate Response Switch to offline localhost version.
People Involved Presenters, IT support (if available).

Responsibilities Prepare offline version in advance.

Timeline

Immediate Notify panel, switch to offline mode.

Preventive Prepare backup videos/screenshots for UI/UX.

Risk ID ISSUE
R4 Group Member Becomes Unavailable

Trigger Illness, personal issues, or withdrawal.

Immediate Response Redistribute tasks.
People Involved Team leader, remaining members.
Responsibilities Adjust workload and deadlines.

Timeline

0–1 day Notify adviser and reassign tasks.

 1–3 days Adjust timeline and continue.
Preventive Shared documentation access and cross-training.

Risk ID ISSUE
R5 Database Corruption or Loss
Trigger Incomplete data import/export or SQL error.
Immediate Response Restore from SQL backup..
People Involved Backend dev, team leader.
Responsibilities Maintain weekly .sql backup files.

Timeline

0–2 hrs Restore DB.

1–2 days Re-test affected modules.
Preventive Regular test DB backups with timestamps.

Risk ID ISSUE
R2 Database Corruption or Loss
Preventive Only Two team members should have admin access;
credentials stored in secure shared vault (e.g.,
Bitwarden).

Risk ID ISSUE
R7 Cybersecurity Attack (Malware)
Generalized Plan Maintain updated antivirus; do not use flash
drives from unknown sources. Always scan files
and avoid suspicious links.

6. Approval
This plan is submitted to:
• Capstone Adviser – [Insert name]
• IT Project Coordinator – [Insert name]
Awaiting signatures for acknowledgment and approval.

7. Distribution
Plan to be shared via:
 • Google Drive (shared folder: “Group 1 – Capstone Plan”)
• Printed copy submitted to Adviser
• Summary shared in group chat for awareness

8. Monitoring
This plan will be reviewed:
• Monthly, or
• After any major development milestone
• Following any incident

9. New Plans (If Necessary)

New risks (e.g., school policy changes or LMS migration) will be
monitored. New contingency plans will be added if severity/likelihood meets
planning threshold.
Case Study # 4:
Case Study Scenario: Data Center Outage at Camiguin Polytechnic State
College
Background: Camiguin Polytechnic State College (CPSC), through its Registrar's
Office, hosts student records and a desktop-based grading system that allows students
to view their grades using their student ID as a user account. One afternoon, during
a thunderstorm, a sudden power surge damages several servers housed in the
registrar's data room. As a result, access to the grading system and student records
is lost, affecting student inquiries and administrative processes.
The BSIT 3rd-year students assigned as part of the IT support team must respond
using the components of the Contingency Plan.