Organizations need to make contingency planning one of their key undertakings and then approach it like any other: Establish policies and procedures, identify threats, conduct risk assessments, implement processes, identify corrective actions, and establish a mindset of continuous improvement. And audit.
As they say, "Hope for the best but prepare for the worst."
Years ago, while working as a military analyst, I helped to reconstruct contingency response command and control at major U.S. Navy shore installations on the Gulf Coast before, during, and after hurricanes Katrina, Rita, and Wilma. The study confirmed (to nobody’s surprise) the following with regard to contingency planning and situational awareness:
- Installation commanders and staffs had prepared documented contingency plans and situational awareness strategies from which to execute flexible responses. Once vital services were restored on-base, the military went into the local communities to help. Local governments lacked the required preparation, training, and expertise.
- Those same installation commanders had been conducting exercises, gathering feedback and “lessons learned” and honing their future responses long before onset of those hurricanes. Local governments had not.
- Local governments turned to the military not only to restore utilities (e.g., providing emergency power to local hospitals and cellphone towers) but to set up command centers in the cities and “assist” local officials through recovery and restoration.
Conclusion: Prepare in advance for contingencies. As they say, “Hope for the best but prepare for the worst.”
This article discusses Contingency Planning and why it is an essential part of any organization, mission, or program regardless of whether or not it’s a pandemic.
What Is Contingency Planning and Where Does It Fit In?
Here is a practical definition for contingency planning:
The process of planning for response to an event or emergency; managing the escalation of an emergency into a crisis condition; recovery and resumption of activities from an emergency or crisis for the infrastructure, and executing critical processes, and other elements of a business or organization. Or more simply: The process of building all the elements of a plan focused on mitigating any interruption to business operations.
Figure 1 summarizes what goes into contingency planning. Department of Defense (DoD) contract program managers must ensure that their programs are prepared for contingencies that have the potential to impact on the program, and (ultimately) the mission that the program serves.
As Figure 1 implies, thorough contingency planning requires the identification of every aspect and requirement of the organization—all missions and under both normal and emergency operations—and with continuous feedback between the planning and execution of those normal and emergency operations.
Contingency planning requires the establishment of goals, objectives, metrics, and measures of effectiveness with which to assess the feedback and identify/analyze gaps between the actual and the required. Also, systems of control are needed for processing the results of the gap identification and analyses.
As always, there must also be a continuous improvement imperative and mindset to motivate, direct, and optimize the entire process.
You might think that contingency planning strongly resembles regular organizational planning. You might be right.
Contingency Planning and Contingency Plans—Not the Same
Much has been written about the difference between the process of “planning” and the creation of “plans.” Some of our greatest military thinkers have praised the process of planning and condemned the creation of arsenals of “plans.” Gens. George S. Patton and Dwight Eisenhower were two who did so. Nice to know that they agreed on something.
Even the most thoughtfully developed contingency plans often fall short in their implementation because they never get fully disseminated, or cannot be executed by on-scene management. Additionally, they often leave out critical considerations, require injections of specialized training, and/or never get exercised. Accordingly, they never get evaluated, rarely get updated to reflect new procedures or capital improvements, and (most unforgivably) they were probably plagiarized from similar but separate organizations in the first place. You get the idea.
If a required course of action is included within a current plan (i.e., the contingency was anticipated), then the current plan survives intact. However, if the required course of action is (in some manner) beyond the current plan, replanning may be necessary. Some plans may need to be scrapped entirely. Both of these actions may consume time and funding. However, a lack of any corrective action (i.e., not replanning or scrapping) can also result in wasted time and personnel, not to mention further degradation of mission effectiveness.
All contingency plans need to have built-in “tripwires” with planned responses that allow on-scene managers to execute when they are satisfied that predetermined criteria have been met. Timeliness of execution should be made part of the strategy and structure of any plan. If a decision to execute requires staffing, concurrence, and/or permission of higher authority, that timeliness can be diminished or even lost completely.
Situational awareness. The military helped solve the problem of too many plans and not enough planning, and of “execution by committee” with the concept of situational awareness, or the ability to recognize a situation (or change in a situation), identify and assess the options, select a course of action, and translate it into actionable orders. For the rest of us, civilian organizations maintain situational awareness when we share, internally and externally, the same operational (big) picture. This enables managers to recognize deviations and fluctuations more rapidly and implement corrective actions almost spontaneously. Managers and auditors should look for and encourage situational awareness when they review the feedback, communication, and continuous improvement mechanisms in the organization.
Specific opportunities to incorporate situational awareness can be found in:
- Standard operating procedures
- Information management (including weather prediction)
- Report generation and simplification
- Planned responses, alarm and alert systems
- Training and qualification systems
Executive “dashboards” and clear-cut lines of authority are needed. Everybody knows who’s in charge; and on-scene managers have sufficient authority to initiate and support expedient recovery.
DoD top management needs to delegate at the right times. The ability of on-scene managers or commanders to enter into (or cancel) contracts or to purchase needed goods and services unilaterally is, in my experience, absolutely essential during contingency operations.
Figure 2 describes the contingency plan “continuum.” That is, the path from and back to normal operations after a disruptive incident. The path takes the organization through response, continuity, recovery/resumption, and then back to normal.
The ability of a program or an organization to travel securely and expeditiously along this continuum depends (1) on the suitability and robustness of the entire planning process; (2) the consistency and likeness of normal and contingency operations; and (3) the ability of on-scene personnel to react without the need for further guidance and direction from above.
Contingency planning, according to the National Fire Protection Association, consists of five components: The strategic plan; the emergency operations/response plan; the mitigation plan; the recovery plan; and the continuity plan. However, the possible establishment of five separate plans (possibly created by five separate levels or functions) creates numerous real and potential interoperability complications, especially over time, as some activities change and others do not. The “strategic plan” required is actually a subset of the overall strategic plan governing the organization. With that in mind, a more streamlined contingency planning strategy, like that shown in Figure 3 would likely be more executable.
All the components of the diagram must be combined, revised, and combined again to create operating plans for normal operations. The shift from a normal to a contingency scenario should be as automatic and transparent as possible.
What You Get When You Plan
- An incident management capability is enabled for effective response
- Critical activities are identified
- Acceptable (and unacceptable) levels of risk are identified as a function of threat and impact analysis. Information flows are enabled, reinforced, or terminated as a function of confidentiality, integrity, availability, currency, and expedience
- The interaction of the organization with regulators, communities, governments, and (possibly) host nations is developed, documented, and understood
- Personnel are trained to respond quickly, meaningfully, and safely to incidents or disruptions—natural or man-made
- Key lines of authority, communication, and supply/resupply are reinforced and secured
- Resources are identified, prioritized, and programmed
- Regulatory compliance responsibilities are understood
- Stakeholders understand their duties in direct or indirect support of the organization
- The organization’s reputation is protected and (most likely) enhanced.
To Plan or Not to Plan—There Is No Question
Many of us, in our auditing adventures, have met managers who consider contingency planning unnecessary. Their reasons vary, but when they directly or indirectly discourage contingency planning, they deny their organizations the adhesive that more fully bonds their people and processes together, through the identification and protection of all products and services, risks and rewards, lines of authority, responsibility, and feedback.
The sidebar (suitable for framing over your desk) reminds you of what you can get when you plan.
Executing Contingency Planning (aka Emergency Response)
Emergency response may be thought of as conducting normal business operations faster than normal.
As discussed, organizations must be capable of executing contingency plans—quickly, efficiently, and completely. Contingency operations should be as close as possible to normal operations, especially since the goal of contingency operations is the rapid restoration of normal operations.
Accordingly, contingency operations should support normal operations and (just like normal operations) should reflect the following:
- Total asset visibility throughout the supply chain
- Organic self-auditing and data collection and analysis
- Process mapping and balancing
- Restoration goals (pieces/hour after 24 hours)
- Clearly defined lines of authority and responsibility
- Up-to-date threat, vulnerability, and risk assessments
- Personnel qualifications, based on needs assessments
- Acquisition authority of on-site management
- Exercises that generate lessons learned and feedback
Exercises should include the involvement and participation of local authorities, or they will risk communications and interoperability problems when the real thing happens. Be careful of how much you simulate. The involvement of the local authorities of host nations (when doing business outside the United States) is even more important. By way of example, commercial ships entering foreign or domestic ports are required to have “port security plans” that mesh with the security plans of the ports in order that the actions of both ship and port support and complement each other. Responses are automatic and unilateral and each player knows what to expect from the other.
Organizations can both enhance and expedite their preparations for exercise or actual contingencies by conducting informal “table-top” exercises, during which representatives from involved organizations come together to “game” potential contingencies. They develop cooperative reactions to imposed threat scenarios. Table-top exercises can be quick, inexpensive vehicles to identify and assess threats, develop needs and risk assessments, and prioritize allocation of personnel and funding. The results of a structured table-top exercise can become very meaningful audit findings, and preclude serious mistakes when and/or if the real thing happens.
Continuity and Recovery—Back to Normal as Quickly as Possible
Auditors assess (and often pass judgment on) the exercise of authority, responsibility, and accountability by top management. We audit quality, environmental compliance, supply chain security, and the like. We look at sales, profit and loss, and training—all in the context of how the organization should operate. Accordingly, we can lose sight of the fact that top management has (as its most fundamental duty) the responsibility for maintaining the ability of the organization to operate, and to operate without disruption. That is, the ability to maintain “continuity.”
British Standard 25999: “Business Continuity Management” defines business continuity as “the strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level;” and business continuity management as “a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.”
Recovery is measured not in terms of days or hours but in terms of re-establishment or re-achievement of previously defined objectives. Examples include the resumption of product or service delivery, resumption of performance of an activity or service, or recovery of an IT system or software after an incident.
Again, there must be genuine commonality and cohesion of structure, processes, and lines of authority for an organization to move from normal to emergency, to contingency, to continuity, to recovery and (back) to normal operations.
Summary
All DoD missions and organizations are subject to incidents and disruptions of operations. Disruptions can result from terrorist or cyber attacks; internal occurrences such as fires, utility outages, hacking, or hazardous material spills; or natural disasters such as hurricanes, earthquakes, or floods. And pandemics. Managers and auditors must develop and refine organizations’ ability to react to and mitigate the emergency and initiate restorations until normal operations are fully resumed—while protecting the welfare and safety of their personnel and the neighboring community.
Proactive organizations need to establish, implement, and maintain appropriate plans and procedures (e.g., backing up of records or files) for responses to incidents and emergency situations, and to prevent and/or mitigate their likely consequences.
Emergency response may be viewed as conducting normal business operations faster than normal. It follows, therefore, that emergency processes must be compatible (if not identical in many respects) with normal operations. Emergency response plans and procedures should include all information dealing with identified facilities or services that may be required during or after incidents, disruptions, or emergency situations, in order to restore continuity of operations.
Organizations should periodically review the effectiveness of their emergency preparedness, response, and recovery plans and procedures, especially after the occurrence of incidents or emergencies caused by security breaches and/or threats.
Contingency-minded program managers and their auditors will test these procedures periodically (as applicable), including scheduling drills and exercises and developing lessons learned and corrective actions as appropriate. This article highlights specific topics, in the hope of inspiring program managers and their auditors to create and maintain robust contingency planning strategies and operate them as any other indispensable management function.
Contingency planning and all that goes with it should be considered not as a cosmetic or mandated expenditure of time and funding, but as an extension of normal management processes—one that adds great value to the organization.
Good managers can do it. Good auditors can help.
Some of our greatest military thinkers have praised the process of planning and condemned the creation of arsenals of “plans.”
Razzetti, a retired U.S. Navy captain, is a management consultant, auditor, military analyst, and frequent contributor to Defense Acquisition magazine and the former Defense AT&L magazine. He is the author of five management books, including Fixes that Last—The Executive’s Guide to Fix It or Lose It Management. The author can be reached at
generazz@aol.com.
