Your business contingency plan: What to do before disaster strikes
When you think of economic disasters, what comes to mind? For many people these days, it’s a global pandemic or an oncoming recession. It’s been years since the COVID-19 pandemic began in late 2019, but small businesses that managed to survive still face challenges.
There are many lessons and innovative ideas that have resulted from negative experiences. From natural disasters and global pandemics to leaders passing on, unexpected events can disrupt our lives and our livelihoods.
Although we may not like thinking about negative events affecting our business, it is important to prepare a business contingency plan. This action plan is a proactive strategy that involves overall business improvements, risk assessments, and crisis management.
With the right business continuity practices in place, you can mitigate the potential impact of unforeseen events and continue to grow a healthy business.
Disclaimer: This content is for informational purposes only and should not be construed as legal or financial advice. Always consult an attorney or financial advisor regarding your specific legal or financial situation.
TL;DR: In a crisis, what should I do first?
Be sure to read this post in its entirety when you have a sec (and a nice cup of coffee). But in the meantime, here’s the key takeaways for business recovery:
| Steps | Details |
|---|---|
| Define activation triggers | Predetermined conditions or thresholds that, when met, formally initiate the contingency plan and mobilize response efforts. Federal guidance on plan activation criteria |
| Identify incident lead and alternates | Designate a primary point of authority responsible for managing the crisis response, along with backup individuals prepared to assume that role if needed. How to assign roles and ensure accountability |
| Pull emergency contacts | Retrieve the pre-compiled list of critical contacts — including key staff, vendors, and service providers — needed to coordinate an immediate response.How to maintain primary and secondary contact lists for all suppliers, vendors, utilities, and emergency responders |
| Execute website/data incident steps | Follow documented procedures to contain, assess, and remediate any breach, outage, or compromise affecting business systems or sensitive data.Full incident handling lifecycle: Detect, Respond, and Recover. |
| Switch to backup suppliers | Activate pre-arranged agreements with secondary vendors to maintain the continuity of essential goods or services when primary suppliers are unavailable.How to prioritize supplier criticality and maintain documented backup arrangements. |
| Publish first internal/customer update | Issue an initial communication to employees and affected customers acknowledging the incident, providing known facts, and outlining next steps.Create defined communication procedures for use during a business continuity incident. |
| Review available financial aid (SBA) | Assess eligibility for Small Business Administration disaster loans or relief programs to help offset financial losses incurred during the disruption.Explore Economic Injury Disaster Loans (EIDLs) and Physical Disaster Loans available to businesses in declared disaster areas. |
What do all these terms mean? Key definitions and risk framework
Now that we’re diving deeper into the subject, let’s lay a foundation with some key definitions and a framework for evaluating risk.
- Business contingency plan: A proactive, scenario-specific playbook that outlines the immediate actions a business takes when a disruptive event occurs. It focuses on short-term response steps to stabilize operations and limit damage in the critical hours and days following an incident.
- Business continuity: The broader, ongoing strategy that ensures essential business functions can operate (at reduced or full capacity) throughout and after a disruption. It encompasses people, processes, and resources needed to keep the organization running over the long term. (The international benchmark for implementing a Business Continuity Management System (BCMS) is ISO 22301:2019 — Security and Resilience: Business Continuity Management Systems, applicable to organizations of all sizes and sectors.)
- Disaster recovery: The technical and operational process of restoring systems, data, and infrastructure to full functionality after a significant incident. It is a subset of business continuity, focused specifically on recovery timelines, data restoration, and returning to normal operations. (For IT-specific disaster recovery planning, refer to NIST SP 800-34 Rev. 1 — Contingency Planning Guide for Federal Information Systems, which defines a seven-step contingency planning process including Business Impact Analysis, RTO/RPO setting, and plan testing — widely adopted in the private sector.)
Risk scoring formula
Risk = Likelihood × Impact
| Score | Likelihood | Impact |
|---|---|---|
| 1 | Rare | Minimal disruption |
| 2 | Possible | Moderate disruption |
| 3 | Likely | Severe / critical disruption |
A combined score of 6–9 signals a high-priority risk requiring immediate contingency planning, 3–5 warrants moderate preparedness measures, and 1–2 can be monitored with basic precautions.
Use this scoring to triage which scenarios your contingency plan should address first.
Think of it this way: the contingency plan is your emergency response, business continuity is your endurance strategy, and disaster recovery is your path back to normal — all informed by where your risks score highest.
What are the processes that work pre- and post-disaster?

One way to prepare before a disaster strikes is to use processes and frameworks in your regular business operations that can be easily carried over in the event of a disaster. Part of the problem with planning for unforeseen events is in the word itself: you can’t see it before it happens.
But if you and your team are already accustomed to a certain workflow process that can be used regardless of disaster type, you don’t have to predict what might happen, and you can trust the system will continue to work.
From checklist systems to remote work and transparent communication, focus on ways you can improve your current business. This will help create a smoother transition from pre-disaster to post-disaster.
Create a business that embraces checklists
Whichever checklist or process you implement, make sure you practice operating around it on at least a monthly basis, if not in a day-to-day capacity. If you only review it quarterly – or worse, annually – you may find that your team struggles to remember the details of each process.
Then, when a business setback occurs, your efforts to use the system developed in the event of a disaster may cause more harm than good. (This cadence is consistent with NIST SP 800-34 Rev. 1, §3.5 — Testing, Training, and Exercises, which recommends regular testing to validate that contingency procedures remain current and effective.)
How do I compile and organize a list of possible business risks?
Unforeseen disasters are hard to predict or plan for, but there are many known potential risks that can occur. Prepare for these risks through business contingency planning. Compile a list of possible business risks and disasters that can affect your business. Then use that list to develop clear business contingency plans for significant setbacks.
Organize the risks according to types of contingency plans. These might include environmental disasters, technology failure or breach, PR debacles, or personal injury or health setbacks. You can then further organize your lists by severity and likelihood.
Conduct a business impact analysis to determine which systems and processes in your business are likely to be affected and to what degree. (The Business Impact Analysis (BIA) is a core requirement of ISO 22301:2019, Clause 8.2 — Business Impact Analysis and Risk Assessment, and a BIA template is also available as a free supplemental resource from NIST SP 800-34 Rev. 1 .)
If you have an ecommerce company, a data breach is a high likelihood and high-severity event. On the other hand, a brief power outage would be a low likelihood and low-severity event. Prioritize developing a contingency plan for a data breach or major tech failure that would heavily impact your customers and your financial security.
Small-business risk matrix
How to use: Review quarterly. Activate a plan when its Trigger condition is met. Priority = Likelihood × Impact score.
| Risk Category | Likelihood (1-5) | Impact (1–5) | Priority Score | Trigger to Activate Plan | First Three Actions | Responsible Owner | RTO |
|---|---|---|---|---|---|---|---|
| Environmental / Natural Disaster (flood, fire, earthquake, wildfire) | 2 | 5 | 10 | Official weather emergency declared OR building becomes unsafe to occupy | 1. Evacuate staff using posted plan. 2. Run damage-prevention checklist (shut off gas, secure servers). 3. Activate remote work protocols. | Facilities Manager | 4 hrs to remote ops; 72 hrs to assess re-entry |
| Technology Failure (server crash, prolonged outage, software failure) | 4 | 4 | 16 | Website/core system downtime exceeds 30 minutes | 1. IT on-call triggered via monitoring alert. 2. Switch to backup/redundant server. 3. Notify customers via status page & social media. | IT Manager / CTO | 1–4 hrs full restoration; 30 min backup live |
| Data Breach / Cybersecurity Attack | 3 | 5 | 15 | Unauthorized access detected OR customer data confirmed exposed | 1. Isolate affected systems immediately. 2. Activate incident response plan & notify Legal. 3. Begin regulatory notifications (GDPR/CCPA) and scope assessment. | CISO / IT Security Lead | Containment: 1 hr; Full report: 72 hrs |
| Supply Chain Disruption (supplier failure, shipping delay, shortage) | 3 | 4 | 12 | Primary supplier misses delivery by >48 hrs OR announces closure | 1. Contact pre-vetted backup supplier. 2. Notify operations of revised lead times. 3. Assess inventory buffer and adjust orders. | Procurement / Ops Manager | 24–72 hrs for alternative sourcing |
| Staffing / Coverage Gap (sudden absence, turnover, illness) | 4 | 3 | 12 | Key role vacant with <24 hrs notice OR team capacity drops below 60% | 1. Reference cross-training matrix for backup. 2. Activate on-call freelancer/contractor roster. 3. Redistribute critical tasks via coverage calendar. | HR Manager / Team Lead | 4–8 hrs for critical role coverage |
| PR Crisis / Reputation Damage (negative press, social media backlash, lawsuit) | 2 | 4 | 8 | Negative story published OR social media mention volume spikes abnormally | 1. Convene leadership + PR lead within 2 hrs. 2. Draft and approve a public-facing response statement. 3. Pause scheduled marketing and monitor sentiment. | CEO / PR / Marketing Lead | Public response within 4 hrs; resolution plan within 24 hrs |
| Personal Injury / Employee Health Emergency | 2 | 4 | 8 | On-site injury reported OR employee medical emergency occurs | 1. Call emergency services immediately (911). 2. Clear area and administer first aid if certified. 3. File incident report and notify HR & Legal. | HR / Office Safety Officer | Emergency response: immediate; Incident report: 24 hrs |
| Employee Burnout / Mental Health Crisis | 4 | 3 | 12 | Pulse survey flags critical stress levels OR manager identifies burnout in 1:1 | 1. Manager initiates private check-in within 24 hrs. 2. Temporarily redistribute workload or approve emergency PTO. 3. Connect employee with EAP resources. | HR Director / Direct Manager | Workload adjustment: 24 hrs; Policy review: 30 days |
| Financial / Economic Instability (recession, cash flow crisis, industry downturn) | 3 | 5 | 15 | Revenue drops >20% MoM OR industry-wide layoff wave reported | 1. Pull and review 90-day cash flow forecast. 2. Identify and freeze non-essential spending. 3. Schedule all-hands to communicate status transparently. | CEO / CFO | Financial assessment: 48 hrs; Staff communication: 24 hrs |
| Knowledge Gap / Key-Person Dependency | 3 | 3 | 9 | Key employee exits unexpectedly OR critical process found undocumented | 1. Assign interim owner to cover the knowledge gap. 2. Initiate emergency documentation sprint for critical processes. 3. Update onboarding/training materials. | Ops Manager / Dept Lead | Critical process documented: 48 hrs; Full manual review: quarterly |
Priority score guide
| Score | Risk Level | Action |
|---|---|---|
| 16–25 | Critical | Immediate plan required; review monthly |
| 10–15 | High | Plan in place; review quarterly |
| 5–9 | Moderate | Monitor actively; review bi-annually |
| 1–4 | Low | Document and watch; review annually |
Maintenance cadence
- Monthly → Review all critical risks
- Quarterly → Full matrix review; update Likelihood/Impact scores based on current conditions
- Annually → Revalidate all owners, RTOs, and trigger conditions with department leads
- After any activation → Conduct a post-mortem within 5 business days and update the relevant row
This maintenance cadence mirrors the continuous improvement cycle required by ISO 22301:2019, Clause 10 — Improvement, and the testing and update frequency recommended in NIST SP 800-34 Rev. 1, §3.5 .
This matrix is designed to be living documentation — scores and owners should shift as your business grows, your team changes, and your risk environment evolves.
Outline potential issues your team could face
Once you’ve created lists of potential threats, outline the issues that would manifest as a result of the negative event. To develop an effective business contingency plan, you need to know what issues will arise and how you can solve them. Here are common issues that can occur when disaster strikes and possible solutions to include in your contingency plan:
1. Supply chain issues
| Element | Detail |
|---|---|
| First three actions | Audit current suppliers and identify single-source dependencies.Designate at least 2 pre-vetted backup suppliers per critical input. Build and maintain a live supplier contact sheet with lead times and MOQs. |
| Owner | Operations / Procurement Manager |
| Escalation path | Ops Manager → COO → CEO; notify Finance if cost impact >10% of budget |
| Target RTO | 24–72 hours for alternative sourcing activation |
Standard: NIST CSF 2.0, GV.SC-04 and GV.SC-05 requires organizations to identify and prioritize suppliers by criticality and integrate supply chain risk requirements into contracts and agreements. FEMA Ready.gov — Business Continuity Planning also recommends identifying key suppliers and alternate sources as a foundational preparedness step.
2. Lack of co-worker coverage
| Element | Detail |
|---|---|
| First three actions | Create a cross-training matrix mapping each role to a trained backup.Build a vetted roster of on-call freelancers/contractors per department.Publish a shared coverage calendar so all staff know who covers whom and when. |
| Owner | HR Manager / Team Leads |
| Escalation path | Team Lead → Department Head → HR Director; engage staffing agency if internal roster is exhausted |
| Target RTO | 4–8 hours to activate coverage for critical roles |
Standard: ISO 22301:2019, Clause 8.1 — Operational Planning and Control requires organizations to ensure that the people, processes, and resources necessary to deliver continuity are identified, maintained, and available. Cross-training and staffing redundancy are core implementation tools.
3. Emergency tracking
| Element | Detail |
|---|---|
| First three actions | Select and roll out a single, agreed-upon communication tool (e.g., Slack channel, WhatsApp group, or safety app).Establish a mandatory check-in protocol (e.g., employees confirm safety within 1 hour of an incident).Designate a Safety Lead responsible for tracking and following up on non-responders. |
| Owner | HR / Safety Officer |
| Escalation path | Safety Officer → HR Director → Executive Team; contact emergency services if employee cannot be located within 2 hours |
| Target RTO | 100% employee status confirmation within 2 hours of incident |
Standard: OSHA Emergency Action Plan Standard (29 CFR 1910.38) requires employers to establish procedures for accounting for all employees following an evacuation and to maintain an emergency communications system. FEMA Ready.gov — Emergency Response Plan also recommends a two-way employee communication system as a core business preparedness element.
4. Building infrastructure damage
| Element | Detail |
|---|---|
| First three actions | Post and practice evacuation plans for all building scenarios (fire, flood, earthquake, wildfire).Create a damage-prevention checklist (e.g., shut off gas, secure servers, lock down HVAC).Identify and communicate a designated off-site assembly point and remote work fallback location. |
| Owner | Facilities Manager / Office Manager |
| Escalation path | Facilities Manager → COO → CEO; contact building management, utilities providers, and insurance carrier immediately |
| Target RTO | Evacuation complete within 15 minutes; remote operations activated within 4 hours |
Standard: OSHA’s How to Plan for Workplace Emergencies and Evacuations (OSHA Publication 3088) provides detailed requirements for evacuation routes, assembly points, employee accountability, and utility shutdown procedures. FEMA Ready.gov — Business Continuity Planning further recommends creating procedures for operating if your building is inaccessible and documenting an off-site recovery location.
5. Website failure
| Element | Detail |
|---|---|
| First three actions | Configure automatic failover to a backup/redundant server or CDN.Maintain an on-call IT contact list with defined response SLAs.Set up uptime monitoring alerts (e.g., PagerDuty, UptimeRobot) to notify the team within minutes of downtime. |
| Owner | IT Manager / CTO |
| Escalation path | IT On-Call → IT Manager → CTO; notify Marketing/Customer Service to post status updates if outage >30 minutes |
| Target RTO | Full restoration within 1–4 hours; backup site live within 30 minutes |
Standard: NIST SP 800-34 Rev. 1 — Contingency Planning Guide for Federal Information Systems provides the foundational framework for IT system recovery, including guidance on backup server configurations, Recovery Time Objectives (RTOs), and IT contingency plan testing. The guide’s supplemental templates (available for low-, moderate-, and high-impact systems) are directly applicable to ecommerce and web-dependent businesses.
6. Data breach
| Element | Detail |
|---|---|
| First three actions | Immediately isolate affected systems to contain the breach.Notify the security/IT team and activate the incident response plan. Identify the scope of compromised data and begin required regulatory notifications (e.g., GDPR, CCPA). |
| Owner | IT Security Lead / CISO |
| Escalation path | IT Security → CISO → CEO + Legal Counsel; notify affected customers and regulators per legal timelines |
| Target RTO | Containment within 1 hour; full investigation report within 72 hours |
Standard: NIST SP 800-61 Rev. 3 — Incident Response Recommendations and Considerations for Cybersecurity Risk Management provides the authoritative lifecycle for cybersecurity incident handling: Detect → Respond → Recover, including guidance on containment, scope assessment, notification, and post-incident review. This publication supersedes Rev. 2 (2012) and aligns with NIST Cybersecurity Framework (CSF) 2.0 .
7. Knowledge gaps
| Element | Detail |
|---|---|
| First three actions | Conduct a role-by-role audit to identify undocumented processes.Build a centralized, searchable procedure manual (e.g., Notion, Confluence) covering all critical operations.Assign each procedure a named owner responsible for keeping it updated quarterly. |
| Owner | Operations Manager / Department Leads |
| Escalation path | Team Lead flags gap → Ops Manager prioritizes documentation sprint → HR incorporates into onboarding |
| Target RTO | Critical procedure documented within 48 hours of gap identified; full manual reviewed quarterly |
Standard: ISO 22301:2019, Clause 7.2 — Competence requires organizations to ensure that personnel whose work affects business continuity performance are competent, with evidence of training and knowledge documented. Procedure manuals and cross-training records are primary compliance mechanisms.
8. Burnout
| Element | Detail |
|---|---|
| First three actions | Implement a structured PTO policy with shared/team-wide time off (e.g., “Last Fridays Off”) to normalize rest.Conduct quarterly pulse surveys to detect early signs of burnout.Train managers to recognize burnout signals and initiate 1:1 check-ins proactively. |
| Owner | HR Director / People and Culture Lead |
| Escalation path | Manager → HR Director → Employee Assistance Program (EAP); adjust workloads or temporary coverage if burnout is confirmed |
| Target RTO | Immediate workload adjustment within 24 hours of burnout flagged; policy review within 30 days |
Resource: SHRM Foundation — Workplace Mental Health & Thriving Together Initiative provides HR leaders with evidence-based frameworks for identifying burnout, implementing EAP programs, training managers in mental health literacy, and building a culture of psychological safety. SHRM research (2024) found that 44% of U.S. employees report feeling burned out — making proactive policies a business continuity issue, not just an HR one.
9. Job security concerns
| Element | Detail |
|---|---|
| First three actions | Schedule regular all-hands or town hall meetings to share honest financial updates.Provide a clear, consistent message about the company’s stability plan and any protective measures in place. Create an anonymous Q&A channel where employees can raise concerns without fear of retaliation. |
| Owner | CEO / Executive Leadership Team |
| Escalation path | HR flags rising anxiety → CEO addresses in all-hands → if restructuring is unavoidable, Legal + HR lead severance/transition communications |
| Target RTO | Initial communication to staff within 24 hours of a triggering event (e.g., market downturn, industry layoffs) |
Resource: The SBA — Disaster Assistance portal offers Economic Injury Disaster Loans (EIDLs) that provide working capital to businesses unable to meet operating expenses during a declared disaster — a direct tool for stabilizing payroll and addressing job security during financial disruption. For communication strategy, ISO 22301:2019, Clause 7.4 — Communication requires organizations to define what, when, and how they communicate internally during a crisis.
How do I set up a contingency plan that emphasizes business continuity?

An effective business contingency plan takes all of your business needs into account and outlines ways in which you will keep the business running and growing. Whether you use a contingency plan template or start from scratch, here are a few key steps toward setting up your disaster recovery plan:
Use the Risk = Likelihood × Impact formula discussed above to prioritize each step below:
1. Inventory your risks
- What to do: Brainstorm every internal and external threat — cyberattacks, supply chain failures, natural disasters, key-person dependencies, and more. Score each using the risk matrix (Likelihood × Impact).
- Outcome: A prioritized risk register that ensures planning efforts are focused on your highest-scoring threats first.
- Owner: Operations Lead + Department Heads
Standard: ISO 22301:2019, Clause 6.1 — Actions to Address Risks and Opportunities requires organizations to formally identify risks that could affect business continuity objectives and document them in a structured risk register. FEMA Ready.gov — Business Continuity Planning provides a plain-language starting framework for small businesses.
2. Run a lightweight business impact analysis (BIA)
- What to do: For each high-priority risk, identify which business functions would be disrupted, estimate the financial and operational cost per hour/day of downtime, and flag any regulatory or contractual obligations at stake.
- Outcome: A clear picture of which functions are mission-critical and cannot tolerate disruption, forming the foundation for all continuity decisions.
- Owner: Operations Lead + Finance Lead
Standard: The BIA is a mandatory component of ISO 22301:2019, Clause 8.2 and Step 2 of the seven-step contingency planning process in NIST SP 800-34 Rev. 1 . NIST also offers a free, downloadable BIA Template as a supplemental resource to that publication.
3. Define activation criteria
- What to do: Establish specific, unambiguous thresholds — such as system downtime exceeding two hours, a supplier failing to deliver for 24 hours, or a data breach confirmed — that formally trigger the contingency plan.
- Outcome: A written activation criteria document that removes guesswork, prevents delayed responses, and ensures the plan is launched consistently every time.
- Owner: Incident Lead + Executive Sponsor
Standard: NIST SP 800-34 Rev. 1, §3.4 — Activation and Notification Phase provides a template for documenting activation conditions, notification trees, and damage assessment procedures that apply to IT contingency and broader operational plans.
4. Assign roles and build a RACI
- What to do: Map every critical response action to a person or team using a RACI framework — clarifying who is Responsible, Accountable, Consulted, and Informed for each task during an active incident.
- Outcome: An unambiguous role structure that eliminates confusion during high-stress situations and ensures no task is left without a designated owner.
- Owner: HR or People Lead + Operations Lead
Standard: ISO 22301:2019, Clause 5.3 — Organizational Roles, Responsibilities and Authorities requires top management to assign and communicate all roles relevant to the BCMS. A RACI matrix is a widely accepted implementation tool for this requirement.
Sample RACI snapshot:
| Task | Incident Lead | IT Lead | Finance Lead | Exec Sponsor |
|---|---|---|---|---|
| Activate Plan | R | I | I | A |
| Notify Customers | A | I | C | R |
| Restore Systems | C | R | I | A |
| Access Emergency Funds | I | I | R | A |
5. Draft scenario-specific checklists
- What to do: For each high-scoring risk, build a step-by-step action checklist covering the first 1 hour, first 24 hours, and first 7 days of response. Include decision points, communication templates, and escalation paths.
- Outcome: Ready-to-execute checklists that allow any team member — not just leadership — to take decisive, coordinated action the moment a trigger is met.
- Owner: Department Heads + Incident Lead
Standard: NIST SP 800-34 Rev. 1, §3.3 — Develop the Contingency Plan recommends scenario-specific response procedures with detailed, sequenced action steps for different impact levels. NIST provides low-, moderate-, and high-impact system templates that can be adapted for non-IT scenarios.
6. Set recovery objectives (RTO and RPO)
- What to do: For each mission-critical function identified in your BIA, define your Recovery Time Objective (RTO) — the maximum acceptable downtime — and your Recovery Point Objective (RPO) — the maximum acceptable data or operational loss measured in time.
- Outcome: Quantified recovery targets that drive infrastructure decisions, backup schedules, and vendor SLAs, giving the business a measurable bar for what “recovered” actually means.
- Owner: IT Lead + Operations Lead
Standard: RTO and RPO are formally defined and required in both NIST SP 800-34 Rev. 1, §2.3 — Recovery Objectives and ISO 22301:2019, Clause 8.2 — Business Impact Analysis. These targets form the technical baseline for backup frequency, failover architecture, and supplier SLAs.
7. Schedule regular testing and plan updates
- What to do: Conduct tabletop exercises or live simulations at least twice per year, review and update the plan after every test, real incident, or major business change — such as a new supplier, system migration, or headcount shift.
- Outcome: A living contingency plan that stays accurate, battle-tested, and aligned with the current state of the business, rather than a document that gathers dust until it is urgently needed.
- Owner: Incident Lead + Executive Sponsor
Standard: Regular testing is a core requirement of ISO 22301:2019, Clause 8.5 — Exercising and Testing , which mandates that organizations exercise their business continuity plans at planned intervals to verify their effectiveness. NIST SP 800-34 Rev. 1, §3.5 — Testing, Training, and Exercises defines specific test types — tabletop, functional, and full-scale — along with documentation and after-action review requirements.
Quick-reference summary
| Step | Key Output | Primary Owner |
|---|---|---|
| 1. Inventory Risks | Risk register with scores | Operations Lead |
| 2. Business Impact Analysis | Mission-critical function list | Operations + Finance |
| 3. Activation Criteria | Trigger thresholds document | Incident Lead |
| 4. RACI Assignment | Role clarity matrix | HR + Operations |
| 5. Scenario Checklists | Step-by-step response guides | Department Heads |
| 6. RTO / RPO Targets | Measurable recovery benchmarks | IT + Operations |
| 7. Testing & Updates | A current, validated plan | Incident Lead |
Collaborate with others on your business contingency plan
Once you’ve set up your course of action, review the backup plan with your team, experts, and stakeholders for final approval. Make sure all employees have access and can contribute to the plan. Not only will it help prevent panic when disaster strikes, but each individual can also provide a unique perspective to improve the plan.
Even after your plan is approved, continue to monitor for new risks and update your contingency plan as needed. As your business evolves in response to the world we live in, your plan should also evolve.
Maintain a “Plan B” brainstorming list
There’s one more list that is useful to keep and refer back to every so often with your team: a “Plan B.” If the world completely shifts, as it did for many during the COVID pandemic, a list of business pivots can help you establish business continuity. Set aside time for your company to brainstorm innovative ideas for the future.
Consider how you can expand or adapt and enter into new markets should you have the need or opportunity to do so. (This concept of adaptive strategy is supported by ISO 22301:2019, Clause 4.1 — Understanding the Organization and Its Context, which requires organizations to continuously monitor internal and external factors that affect their ability to achieve continuity objectives.)
How do I remain a supportive leader?

Regardless of disaster or setback, one thing that every successful business leader does is support their employees. It’s crucial to protect the mental and physical health of people you hire, work with, and pay to run your business. In times of high stress, your employees expect clear guidance and empathy.
An effective business leader encourages their employees to take the time they need to process a difficult experience and then empowers them to be leaders themselves. (For evidence-based frameworks on supporting employee well-being during organizational crisis, see the SHRM Foundation — Thriving Together: Workplace Mental Health Initiative, which equips HR leaders and managers with tools to address burnout, build psychological safety, and sustain employee engagement under pressure.)
Your job is to run a successful business. Part of this success is only possible when you establish trust and improve the well-being of your team. As a supportive leader, maintain open and honest communication and work together to build a business contingency plan that will enhance the safety of your business.
Digital resilience is part of contingency planning
Many contingency plans focus on physical risks, staffing challenges, and operational disruptions. However, digital infrastructure has become equally critical for modern businesses. Website outages, ecommerce failures, cyber incidents, and platform disruptions can all impact revenue and customer trust.
Having a documented plan for rebuilding digital assets can reduce recovery time. AI-powered tools such as GoDaddy Airo AI Builder allow business owners to rapidly create websites, customer portals, booking systems, and online stores without requiring a dedicated development team.
This can be particularly valuable during unexpected disruptions that include your website, customer communication channels, and online sales infrastructure. Tools like Airo can help create replacement digital experiences quickly if existing systems become unavailable.
Additional resources: Business contingency plan templates
Below you will find fill-in-the-blank templates useful in scenarios related to the knowledge you have just gained in this post:
Template 1: Internal Incident Slack / Email Script
- For: All-staff or core response team notification
- When to use: The moment an activation trigger is met
Subject / Slack channel: 🚨 [INCIDENT TYPE] — Response Activated
@channel / Team,
We have identified a(n) [INCIDENT TYPE] affecting [SYSTEM / TEAM / LOCATION] as of [TIME & DATE].
Current status: [Brief 1-sentence description of what is known]
Incident Lead: [NAME] | Backup Lead: [NAME]
Active channel for updates: [SLACK CHANNEL / EMAIL THREAD]
Immediate actions underway:
- [ACTION 1 — e.g., IT isolating affected systems]
- [ACTION 2 — e.g., Backup supplier contacted]
- [ACTION 3 — e.g., Customer comms being drafted]
What we need from you:
[SPECIFIC ASK — e.g., “All staff: confirm safety via this thread by [TIME].”]
Next update by: [TIME]
Questions? Contact: [INCIDENT LEAD NAME & CONTACT]
— [YOUR NAME / LEADERSHIP TEAM]
Aligned with ISO 22301:2019, Clause 8.4.4 — Warning and Communication , which requires a defined internal notification process at incident activation.
Template 2: First Customer Notice
- For: External-facing communication to customers
- When to use: Within the first 1–4 hours of a customer-impacting incident
Subject: Important Update Regarding [SERVICE / PRODUCT / SYSTEM]
Dear [CUSTOMER NAME / “Valued Customer”],
We want to be transparent with you: we are currently experiencing [BRIEF DESCRIPTION — e.g., “a service disruption affecting order processing” security incident involving customer data”].
What happened: [1–2 sentences — what occurred and when]
What we are doing:
- [ACTION 1 — e.g., Our IT team has isolated the issue and is actively working on restoration.]
- [ACTION 2 — e.g., We have notified the relevant authorities / regulatory bodies.]
What this means for you: [IMPACT STATEMENT — e.g., “Orders placed between X and Y may be delayed.”]
What to do if you have concerns: Contact us at [EMAIL / PHONE] or visit [STATUS PAGE URL].
We will provide our next update by [DATE / TIME].
We sincerely apologize for any inconvenience and appreciate your patience.
— [COMPANY NAME] Team
Aligned with ISO 22301:2019, Clause 8.4.4 and NIST SP 800-61 Rev. 3 notification guidance. For data breaches, supplement with applicable GDPR / CCPA regulatory notification requirements.
Template 3: 1-Page Contingency Plan Worksheet
- For: Any business, any incident type
- When to use: Complete one per high-priority risk scenario; store alongside your risk matrix
Contingency plan worksheet
Business Name: ________________ Date: ______ Version: ______
Section 1: Scenario identification
| Field | Detail |
|---|---|
| Risk / Scenario Name | _________________________ |
| Risk Category | ☐ Environmental ☐ Technology ☐ People ☐ Financial ☐ PR / Legal ☐ Other: ____ |
| Likelihood (1–5) | ____ |
| Impact (1–5) | ____ |
| Priority Score (L × I) | ____ |
| Trigger to Activate | _________________________ |
Section 2: Roles
| Role | Name | Contact |
|---|---|---|
| Incident Lead | _________ | _________ |
| Backup Lead | _________ | _________ |
| Responsible Owner | _________ | _________ |
| Exec Sponsor | _________ | _________ |
Section 3: First three actions
| # | Action | Owner | Due |
|---|---|---|---|
| 1 | __________________ | _______ | ____ |
| 2 | __________________ | _______ | ____ |
| 3 | __________________ | _______ | ____ |
Section 4: Communication plan
| Audience | Channel | Message Owner | Timing |
|---|---|---|---|
| Internal Team | _________ | _________ | _______ |
| Customers | _________ | _________ | _______ |
| Vendors / Partners | _________ | _________ | _______ |
| Regulators / Legal | _________ | _________ | _______ |
Section 5: Recovery targets and escalation
| Field | Detail |
|---|---|
| Target RTO | ____________________ |
| Target RPO | ____________________ |
| Escalation Path | _____ → _____ → _____ |
| External Resources | ☐ SBA Disaster Loan ☐ FEMA Ready ☐ Cyber Insurance ☐ Other: _____ |
Section 6: Post-incident review
| Field | Detail |
|---|---|
| Scheduled Review Date | _________________ |
| What worked? | _________________ |
| What needs updating? | _________________ |
| Plan last updated by | _________________ |
Worksheet structure aligned with ISO 22301:2019 Clauses 6, 8, and 10 (Planning, Operations, and Improvement) and NIST SP 800-34 Rev. 1 seven-step contingency planning process. Complete one worksheet per high-priority risk scenario and store alongside your risk matrix.
How these three templates work together
TRIGGER MET
▼
[Template 1] Internal Slack/Email ──→ Team mobilized, roles confirmed
▼
[Template 3] Worksheet activated ──→ Actions, owners, RTOs in motion
▼
[Template 2] Customer Notice sent ──→ External trust maintained
▼
Post-incident: Worksheet Section 6 completed → Plan updated
Testing and maintenance cadence
A plan never tested is a plan that will fail. Run these four exercises on a fixed schedule, measure four KPIs, and update the plan after every cycle.
Required by ISO 22301:2019, Clause 8.5 and NIST SP 800-34 Rev. 1, §3.5.
Scheduled exercises
Quarterly tabletop: Discussion-based, 60–90 min
Rotate one scenario per quarter (technology failure → staffing gap → data breach → supply chain). Incident Lead facilitates; Department Heads required.
| Outcome | Actions |
|---|---|
| Pass | All role owners state their first 3 actions unprompted; internal alert drafted ≤10 min; customer notice drafted ≤20 min; every gap has a named owner at debrief close |
| Fail | Any critical role owner cannot state responsibilities; comms missed time targets; >20% of gaps exist without an owner |
| Output | After-action report filed within 3 business days |
Semiannual Failover Drill: Live execution, half day
Month 6: Activate backup IT systems; verify data restoration meets RPO.
Month 11: Activate backup suppliers and on-call staffing roster.
| Outcome | Actions |
|---|---|
| Pass | Backup live within target RTO; data restored within target RPO; no unresolved single points of failure |
| Fail | RTO exceeded by >25%; data loss exceeds RPO; critical action has no owner or missing credentials |
| Output | Drill report with actual vs. target RTO/RPO filed same day |
Annual full review — Full day, all departments + exec sponsor
Rescore every risk, verify all owners and contacts, audit all checklists, update RTOs/RPOs from drill actuals, refresh communication templates, schedule next year’s full cadence, and obtain executive sign-off.
| Outcome | Actions |
|---|---|
| Pass | All risks rescored; 100% of owners confirmed current; all KPIs trended; next-year calendar set; exec signs off same day |
| Fail | Risk matrix >14 months stale; >25% of owners unverified; two or more KPIs declining with no corrective plan |
| Output | Versioned, signed plan (e.g., v2025.1) distributed to all department heads |
Post-incident review: Within 5 business days of any real activation
Answer six questions: Was the trigger right? Did role owners execute? What were actual vs. target RTOs? How long to first customer update? What was wrong or missing in the plan? What one change would most improve the next response? Log KPI actuals and update the plan within 10 business days.
| Outcome | Actions |
|---|---|
| Pass | Debrief held on time; all six questions answered; every gap owned; KPIs logged |
| Fail | Debrief skipped or late; gaps unassigned; KPI data not recorded |
Four KPIs
| KPI | Formula | Target | Green | Yellow | Red |
|---|---|---|---|---|---|
| Mean Time to Recovery (MTTR) | Total recovery time ÷ number of incidents | ≤ scenario RTO | At or below RTO | 10–25% above RTO | >25% above RTO or trending up over 2 drills |
| % Controls Tested | Controls tested ÷ total controls × 100 | 100% of Priority 10+ controls annually; ≥50% by midyear | 100% by year-end | 75–99% by Q3 | <75% by Q3 or any Priority 15+ untested >12 months |
| % Staff Trained | Staff trained in past 12 months ÷ total staff × 100 | ≥95% rolling; 100% of leads within 30 days of assignment | ≥95%, leads at 100% | 80–94% or a lead role untrained 31–60 days | <80% or critical lead untrained >60 days |
| Time to First Customer Update | Timestamp of first customer comms − trigger timestamp | ≤1 hr (Priority 15+); ≤4 hrs (all others) | Within target window | Within 2× target window | Beyond 2× target or no update issued |
12-month calendar
| Month | Activity |
|---|---|
| 1 | Q1 Tabletop: Technology failure |
| 4 | Q2 Tabletop: Staffing/knowledge gap |
| 6 | Mid-year failover drill: IT systems |
| 7 | Q3 Tabletop: Data breach |
| 10 | Q4 Tabletop: Supply chain financial |
| 11 | Year-end failover drill: Operational / supplier |
| 12 | Annual full plan review + exec sign-off |
| Any | Post-incident review within 5 days of activation |
KPI scorecard
| KPI | Target | Q1 | Q2 / Mid-Year | Q3 | Q4 | YoY Trend |
|---|---|---|---|---|---|---|
| MTTR | ≤ RTO | ___ | ___ | ___ | ___ | ⬆️ ➡️ ⬇️ |
| % Controls Tested | 100% by year-end | ___% | ___% | ___% | ___% | ⬆️ ➡️ ⬇️ |
| % Staff Trained | ≥95% rolling | ___% | ___% | ___% | ___% | ⬆️ ➡️ ⬇️ |
| Time to First Customer Update | ≤1 hr / ≤4 hrs | ___ | ___ | ___ | ___ | ⬆️ ➡️ ⬇️ |
Every Red signal on any KPI triggers an immediate corrective action plan, assigned to the relevant owner, and resolved before the next scheduled exercise.
Standards and resources references
| Standard / Resource | Issuing Body | Relevance | URL |
|---|---|---|---|
| ISO 22301:2019 — Security and Resilience: Business Continuity Management Systems | International Organization for Standardization (ISO) | The global benchmark for building, implementing, and improving a BCMS; covers BIA, risk assessment, RTO/RPO, communication, testing, and continuous improvement | iso.org/standard/75106.html |
| NIST SP 800-34 Rev. 1 — Contingency Planning Guide for Federal Information Systems | National Institute of Standards and Technology (NIST) | Seven-step IT contingency planning process; BIA templates; RTO/RPO definition; plan testing guidance; widely used in the private sector | csrc.nist.gov/pubs/sp/800/34/r1/upd1/final |
| NIST SP 800-61 Rev. 3 — Incident Response Recommendations and Considerations for Cybersecurity Risk Management | National Institute of Standards and Technology (NIST) | Full cybersecurity incident handling lifecycle aligned to NIST CSF 2.0: Detect, Respond, Recover; covers data breach containment, notification, and recovery | csrc.nist.gov/pubs/sp/800/61/r3/final |
| NIST Cybersecurity Framework (CSF) 2.0 — incl. C-SCRM Quick-Start Guide (SP 1305) | National Institute of Standards and Technology (NIST) | Supply chain risk management; cybersecurity governance; supplier criticality prioritization; RACI for third-party risk | nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf |
| FEMA Ready.gov — Business Continuity Planning | Federal Emergency Management Agency (FEMA) | Plain-language small business preparedness: emergency contact lists, supplier backup planning, off-site recovery locations, employee communication | ready.gov/business |
| SBA Disaster Assistance — Economic Injury Disaster Loans (EIDLs) & Physical Disaster Loans | U.S. Small Business Administration (SBA) | Low-interest disaster loans for businesses in declared disaster areas; covers operating expenses, payroll continuity, and physical damage recovery | sba.gov/funding-programs/disaster-assistance |
| OSHA Emergency Action Plan Standard — 29 CFR 1910.38 & Publication 3088 | Occupational Safety and Health Administration (OSHA) | Workplace evacuation requirements, employee accountability procedures, emergency communication systems, and utility shutdown protocols | osha.gov/emergency-preparedness/getting-started |
| SHRM Foundation — Thriving Together: Workplace Mental Health | Society for Human Resource Management (SHRM) | Evidence-based HR tools for identifying and responding to burnout, implementing EAPs, training managers in mental health literacy, and sustaining employee well-being | shrm.org/foundation/workplace-mental-health |