Background

A well developed contingency plan has enormous value for the organisation beyond the obvious – the ability to speedily, smoothly and cost effectively respond to significant changes in the environment. The development of a comprehensive contingency plan will:

  • Focus the company on identifying what risks exist and the levels of that risk;
  • Enable the company to review the overall objectives of the existing plan in the light of the risks identified, (especially their impact on company KPI's);
  • Assist in creating strategies to manage and mitigate risk (prevention being far cheaper than cure);
  • Review the existing information system to clarify whether it can both identify failure early (early correction is far cheaper and easier than late), correctly  (taking the right action for the right reasons rather than the wrong actions for the wrong reasons), and has the ability to forecast significant changes in the risk environment (controlling change rather than reacting to it is always more cost effective);
  • Establish a set of actions/ policies which are in line with the problem (this is the concept of graduated response – as problems grow worse, more severe actions need to be considered, but it is often early and small changes that prevent larger difficulties occurring in the future);
  • Formalise contingency plan actions into standard operating procedures (SOP);
  • Provide for the integration of contingency plan actions into company wide induction and maintenance training to ensure rapid and effective response, and link with outside agencies where necessary;
  • Create a framework which can be continuously reviewed and updated, with post event analysis incorporated into best practice.

Software exists to assist the company in the creation and management of contingency planning, but an initial manual approach is advisable – otherwise the company either over or under plans its responses.

Risk

Two golden rules should be followed in assessing potential risk – What can go wrong, will go wrong, and – If it cannot go on, it will not. An initial assessment of possible risk components should be as broad as possible – the Ibis standard checklist has over 160 items listed, but within this list there are two important groups – those that have high probability of occurring and those that have high impact on company performance. These will vary over time and for specific industries. The worst group is obviously those that have both high impact and high probability – such as fuel prices in the airline industry.

Eight broad types of risk exist for each enterprise, though they obviously influence each other:

Strategic risk;
Macro environmental risk;
Operational risk;
Stakeholder risk;
Competitive risk;
Implementation option risk;
Project risk;
Disaster risk

Strategic risk is concerned with the mixture of strategies that the enterprise follows with some such as diversification being far more risky than market penetration, and it is also concerned with portfolio theory and the need to diversify products, customers, countries, suppliers, finance and personnel.

Macro environmental risk is concerned with the way in which the Political, Economic, Social, and Technology components will influence the enterprise.
Competitive risk is concerned with the way in which competitors both currently and in the future will affect enterprise policies.
Operational risk is associated with the ability of the enterprise to implement its policies, including such problems as quality, delivery, customer satisfaction, security, fraud, personnel and production/ service delivery failure.
Stakeholder risk is associated with problems due to one or more of the various stakeholders (employees, suppliers, government or others) changing their policies or failing in the delivery of particular planned actions.
Implementation option risk is associated with difficulties encountered during the action planning of policies such as mergers and acquisitions, franchising, partnering.
Project risk is focused on the probabilities that certain tasks within a project will face problems of time, budget or specification achievement.
Disaster risk concerns the planning for “major” events, such as hurricanes, riots, tidal waves, floods, air crashes and the like.

Impact on objectives

One of the more useful aspects of contingency planning, and one little discussed, is its relationship to the structure of the overall plan. The creation of the plan should lead managers to consider the impact of changes in risk on the probable level of organisation performance. As the level of environmental risk increases, so will the risk of not achieving the plan objectives. What level of risk is acceptable to stakeholders? Does a changing level of risk imply the need for changed objectives? For example, a high probability/ high impact risk would be a recession for a consumer goods company – should not this imply a changed set of objectives from perhaps aggressive to conservative?

Defining responsibility for contingency planning

The devolution of company authority and responsibility through the creation of strategic business units and knowledge centres provides the best solution to contingency planning. Knowledge centres will understand the underlying risks better than central management; they will be able to react more quickly and more effectively. Incorporating contingency planning as part of a bottom up business plan by integrating contingency planning into knowledge centre reporting will focus each team on creating and maintaining effective contingency plans.

Managing risk through designing out, mitigating and sharing

As the development of the contingency plan identifies the major risk components, management can consider each with the following questions:

Can we design it out entirely or partially? (for example, premises design/ location can significantly reduce the impact of fire, flood, access, employee productivity, health, strategic and operational choices such as multiple sourcing);

Can we mitigate it through the implementation of the correct disciplines? (for example, project failure can be mitigated through accurate design and effective monitoring or customer loss through programmes such as customer satisfaction audits);

Can we share the risk? (credit insurance for example).

Each of these actions will involve cost. Some of this will be essential – such as fire doors for example – but much of it will be discretionary. Decisions will have to made as to the level of investment that the organisation is prepared to make to control and manage the risk – often not easy when resources are limited. As contingencies, by their very nature do not occur when expected, the organisation needs to budget for them – and this obviously relates to the level of risk inherent in the environment. Where the risk is low, the set aside can be also low. Where it is high – for example in start up high technology ventures, the additional resources should be considerable. In the existing company a review of unexpected expenditures over a three year period will give a good starting point for setting contingency budgets, while benchmarking and industry experience will give similar indications for start-up companies.

Managing risk through improved information systems

A second important impact on the overall business and development efficiency of the contingency plan is the review of the information system. It will emphasise the need for information gathering, correlation and review processes to meet specific company requirements.

Some failure is obvious and easy to identify, but much can be quite complex. For example, loss of electricity supply is straightforward; employee fraud is often far more sophisticated. The review of the information system should initially concentrate on high probability/ high impact areas and ensure that changes in these criteria can be identified as early and as accurately as possible. Once this has been achieved it is important to ensure that the data provides access to the real problem.

For example, company sales may be in decline. Is the real reason that the product/ service is uncompetitive? That quality has declined? That sales force/ marketing effectiveness has declined? That the economy has changed?  There is a problem with a major customer? There is little point in spending money on sales promotion for example if the real reason is that a major customer has liquidity problems – that will be resources poorly spent.

Finally the information systems should be reviewed to clarify whether they can provide reasonable forecast data in key areas that need to be managed. Does the system provide accurate information on high probability/ high impact trends? Does it need to be strengthened?  What research and/ or additional systems do we need to carry out? What are the associated costs? Primary research can be very expensive – is there adequate secondary research available?

Action policies

The concept of the trigger point is important in establishing action plans and policies. At what stage should you take action? If sales decline by 2% – is it within the normal range of variance or does it demand correction? Each company will have different requirements and different market circumstances. The contingency plan needs to establish:

What are the key areas of remaining risk that need to be managed
What the budgetary implications are for the required action(s)
What initial investment needs to be made in creating the framework for effective response
What maintenance investment needs to be considered to ensure that the plan is continually active and responsive
When the boundary conditions have been exceeded
What action should be taken at that time;
What action is next to be taken should the situation further deteriorate;
Who is responsible for taking the corrective action(s);
How they will report;
Who they will report to;
How the organisation will measure that “success” has been achieved (however “success” can be measured);
What recovery measures will be necessary,
How outcomes will be reviewed and lessons learnt.
These must be realistic: the organisation can carry out these actions – unless it has the resources to do so the plan will be useless.

Budgeting

Every enterprise will need to budget for key contingency plans. It is obvious that when disaster strikes no operational unit should be required to check with senior management that the required expenditure is authorized. Obviously, not all possible contingencies should be treated equally.

Research on 1000 companies over a five year period identified the most common failure points which required specific corrective action in order of importance:

Cash flow
Sales variation
Finance covenant failure
Key employee loss
Supplier failure
IT failure
Delivery failure
Bad debts
Equipment failure
Skills failure
Quality failure
Data loss
Foreign exchange
Industrial relations dispute
Health and safety
Weather related failure
Security failure
Tax management
Fraud

The inclusion of contingency plan funding in the enterprise budget has a number of implications. First it supports the view that the enterprise should ensure financial headroom through including an element of free cash flow. This free cash flow emphasis will encourage intrapreneurialism especially with internal competition for funds for cost management projects. With bonus systems in place which integrate enterprise wide objectives (normally from the balanced scorecard) with knowledge centre based budget and project management targets, overall operational performance will be enhanced.

Standard operating procedures

The important contingency plans need to be formalised and incorporated in documentation so that staff are aware of the plan demands and what actions should be followed. The simplest health check within the organisation is to ask managers a series of simple questions – what do you do if x, y or z happens? If they cannot answer, it is clear that there is a requirement for the creation of standard operating procedures available throughout the company to guide actions and decisions. Where a contingency plan is complex, it is unrealistic to expect individuals to remember the detail – but if they know that it is available both in written form and ideally on the company Intranet, they will be able to rapidly access and use it.

The other advantage of the standard operating procedure for the contingency plan is that it will provide an audit trail to ensure that specific tasks have been completed – important both for internal and any external review.

Contingency planning and training

Staff forget; when they join an organisation they need to become aware of its operating procedures. In both cases, the incorporation of the contingency plans into training makes sense, as part of an induction framework or as regular reminder or maintenance training.

Review and update

Circumstances change, and every organisation can learn from experience. Reviewing and updating contingency plans is essential – and where it has been used, a post plan review makes obvious sense so that improvements can be incorporated while lessons are fresh in the mind. Incorporating the contingency plan into the monthly review ensures that changes where necessary are made and that the key high probability/ high impact areas receive constant attention.

Setting priorities in contingency planning through creating detailed plans for key high risk/ high probability events

The first stage in setting priorities must be to create a risk  profile which provides a mechanism for identifying which are the most serious risks, and focusing on each of these in turn in descending order.

The risk profile can be applied and published in chart form

Factor

Probability

Impact

Score

% design out

% share

% mitigated

Residual score

Strategic risk

 

 

 

 

 

 

 

Macro risk

 

 

 

 

 

 

 

Operational risk

 

 

 

 

 

 

 

Stakeholder risk

 

 

 

 

 

 

 

Competitive risk

 

 

 

 

 

 

 

Implement option risk

 

 

 

 

 

 

 

Project risk

 

 

 

 

 

 

 

Disaster risk

 

 

 

 

 

 

 

Next will be the completion of a detailed plan for each major risk. This will contain a number of components, broken down into an overview section and one concerned with detailed implementation

Overview

Description of contingency
Contingency impact
Risk profile
Investment appraisal cost/risk reduction
Date plan last updated
Who updated
Access – hard copy or Intranet
Security considerations
Legal factors that are involved with the contingency plan
Audit requirements
Plan leader and contact details
Plan deputy and contact details
Other stakeholders and contact details
Authority and responsibility defined for each
Enterprise previous experience and lessons learnt
Other organisation experience and lessons learnt
How real cause of contingency is identified
Information system: accuracy and frequency
Information system does or does not provide immediate alerts when barrier conditions breached
Components of contingency physically designed out
Components of contingency operationally designed out (equipment, procedures)
Components of contingency shared with other stakeholders
Components of contingency mitigated with other stakeholders
Training on contingencies – induction, maintenance, development
Random inspection method, frequency
Post event audit and review responsibility

Action planning

Trigger point 1
Trigger point 1 defined
Time
Technique
Budget
Success milestone
Communication – internal
Communication – external
Trigger point 2
Trigger point 2 defined
Time
Technique
Budget
Success milestone
Communication – internal
Communication – external

Presented in tabular form for the business plan it will provide an essential part of overall risk management

Factor

Description

Overview

 

Contingency

 

Risk profile

 

Investment appraisal

 

Last update

 

Who updated

 

Access

 

Security

 

Legal factors

 

Audit requirements

 

Plan leader

 

Plan deputy

 

Other stakeholders

 

Enterprise previous experience and lessons learnt

 

Other organisation experiences

 

How real cause of contingency is identified

 

Information system

 

Alert mechanism

 

Items physically designed out

 

Items shared

 

Items mitigated

 

Training

 

Random inspection methodology

 

Post event audit/ responsibility

 

Trigger point 1

 

Definition

 

Time

 

Budget

 

Technique

 

Success milestone

 

Communication – internal

 

Communication – external

 

Outcome review

 

Trigger point 2

 

Definition

 

Time

 

Technique

 

Budget

 

Success milestone

 

Communication – internal

 

Communication – external

 

Outcome review

 

Ibis provides three alternative case studies for contingency plan training – SpiceBin a consumer goods company, Coral Reef a tropical hotel, and MagicMarker an industrial technology company. In each case, participants are required to establish the relevant contingency plan for the company using the worksheets provided.