Strategic contingency planning

Download 432.42 Kb.
Size432.42 Kb.
  1   2   3   4   5



Karen Scott-Martinet

Fall 2006

The objective of this study was to develop a strategic contingency planning model to be used to fully incorporate emergency management and business continuity into organization structures. (For the purpose of this study, Emergency Management and Business Continuity were collectively referred to as “contingency planning.”) Presently, contingency planning is mainly done on an operational or tactical level. Current thinking suggests that contingency planning should be an active part of organizations’ overall strategic planning processes as well. Organizations will ultimately be better prepared for future disasters and crises.



Presented to the Professional Studies Department

California State University, Long Beach

In Partial Fulfillment

of the Requirements for the Degree

Master of Science in Emergency Services Administration

By Karen Scott-Martinet

B.A., 1994, University of Hawaii, West Oahu

Fall 2006

Copyright 2006

Karen Scott-Martinet





Purpose of this Study 2

Significance of this Study 3

Approach 4

Limitations 4

Definitions of Key Terms 5
Emergency Management 12

Business Continuity Planning 21

Strategic Planning 31

Scenario Futuring 34

Summary 39
Emergency Management 41

Business Continuity 47

Strategic Planning 51

Scenario Futuring 55

Summary 63
The Strategic Contingency Plan 65

Finding the Gaps 67

The Wider View 69

The Business Case 70

Implementation and Metrics 72

Summary 73

Recommendations 74

Conclusion 75

Summary 76







Emergency management and business continuity planning (collectively referred to as contingency planning) are vital programs for any organization that wants to survive and prosper. Contingency planning can be a time-consuming, costly process and, consequently, it is used in public and private sector entities to varying degrees. In the absence of proper planning, a crisis or disaster could devastate an organization, its people and its assets. Various estimates of failure rates of businesses after a disaster abound. While there is no way to confirm these statistics, they seem to suggest that contingency planning will improve the odds of an organization’s survival.

Due to the fear of terrorist attacks, cyber crime, pandemics and the increasing costs of natural disasters, more organizations than ever before are considering contingency planning to help protect their people, assets, and facilities. As organizations become more complex, disruptions can cause greater and more frequent impacts. The terrorist attacks on the World Trade Center in New York in 2001, the Phuket Tsunami in 2004 and the devastation left behind by Hurricanes Katrina, Rita, and Wilma in 2005 have shown how these impacts can affect the entire world.

A challenge for organizations is lack of knowledge about how to effectively implement a contingency planning system and incorporate it into the entity’s strategic plans. “Strategic planning is the process of formulating and implementing decisions about an organization’s future direction. This process is vital to every organization’s survival because it is the process by which the organization adapts to its ever-changing environment, and the process is applicable to all management levels and all types of organizations” (Kerzner, 2001, p. 15).

Contingency planners are now asserting that contingency planning is a value-added component that can be a competitive advantage in the marketplace as well a means of helping organizations save money. Processes that are deeply analyzed in terms of continuity will usually be more secure, and new ways of working may emerge to help streamline operations. Contingency planning can be useful when forging alliances with external organizations or during acquisition phases. Contingency planning should be part of an organization’s quality cycle as well. “Business continuity and disaster recovery have gained somewhat in the eyes of top corporate management since the start of the 1990s. As the industry has slowly evolved from what could almost have been called a ‘black art’ to something starting to resemble a disciplined science, basic business principles have begun to become increasingly relevant” (Rothstein, 2003, p. 1).

Purpose of this Study

In this study, the fields of emergency management, business continuity, strategic planning and scenario futuring were critically analyzed with a goal of developing an integrated strategic contingency planning model. This model will assist organizations in bringing their contingency planning program to a strategic level. Contingency planning can be fully integrated with day-to-day business processes if a new mindset is promulgated in the organization. Contingency planning no longer needs to be an isolated, specialized process; rather it should be integrated into the foundation of an organization. An organization is normally in business to stay in business, so practicing contingency planning is a logical component of successful business operations. Not-for-profit and public sector entities also need to prepare for continuity of services in order to assist constituents and citizens. “By including the continuity strategies in the company’s strategic plan, they are naturally reviewed periodically and updated when the strategies of the company change. The business continuity strategies become part of the corporate culture and a natural part of management thinking. Additionally, since this new element has been added to the company’s existing planning program, the marginal cost associated with maintaining it is substantially reduced” (Stagl, 2003, p. 39).

Significance of this Study

Contingency planning is a systematic process that is usually not fully integrated with normal business processes and traditionally focuses more on the tactical and operational side of planning. A well-developed contingency planning system might consist of policies, procedures, checklists, guidelines, plans, and other documents and resources. Components of contingency planning such as first response, a command structure, crisis management and business resumption are typically addressed.

When a company conducts its strategic planning, the information and expertise available in the contingency planning department are not utilized or utilized fully when contingency planners are not invited to participate in the process. Contingency planning is usually an overhead component, not (seemingly) contributing much to the bottom line. Contingency planners, by using strategic methods and business concepts, will enhance their ability to be recognized and accepted as vital strategic team members and gain top level support.

This study was designed to demonstrate how contingency planning can better fit into a corporate or public sector model. Integrating contingency planning into the fundamental structure of the organization will help the entity to survive more effectively. When the entity’s players put their all pieces together, the entity will be better protected and better prepared.


The approach used in this study was to provide a background in contingency planning processes and then show how strategic planning processes can be applied to make a more effective contingency planning program. Chapter 2 presents a review of literature in the emergency planning, business continuity, strategic planning and scenario futuring fields to provide a foundation for the study. Chapter 3 is comprised of an examination of the existing planning methodologies of emergency management, business continuity, strategic planning and scenario futuring. In Chapter 4, these comprehensive planning methods are synthesized into a more integrated strategic contingency planning process. Chapter 5 presents the conclusion and recommendations.


This study does not specifically address the information technology (IT) aspects of contingency planning due to the complexity and emergent nature of information systems products. IT departments may have very detailed plans in place to recover hardware, software, telecommunication and other systems. These preparations are usually known as disaster recovery plans. It is incumbent upon business continuity personnel, however, to ensure that their IT departments are fully aware of critical systems and recovery priorities. Without the three-prong approach of emergency management, business continuity and disaster recovery, organizational recovery may be severely impeded.

This study also does not specifically address the security of the organization. Security and contingency planning often go hand-in-hand in organizations. Many security features such as fences, controlled access systems, cameras, etc. are taken into consideration when doing contingency planning. However, the security field, which is technologically complex, is beyond the scope of the present study.

Definitions of Key Terms

Business Continuity Management Program: An ongoing management and governance process supported by senior management and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products/services through exercising, rehearsal, testing, training, maintenance and assurance. (DRJ Editorial Advisory Board, 2005)
Business Continuity Team: Designated individuals responsible for developing, execution, rehearsals, and maintenance of the business continuity plan, including the processes and procedures. Similar terms: disaster recovery team, business recovery team, recovery team. Associated term: crisis response team. (DRJ Editorial Advisory Board, 2005)
Business Impact Analysis (BIA): The Business Impact Analysis is a process designed to identify critical business functions and workflow, determine the qualitative and quantitative impacts of a disruption, and to prioritize and establish recovery time objectives. Similar terms: Business Exposure Assessment, Risk Analysis. (DRJ Editorial Advisory Board, 2005)
Crisis Management: The overall coordination of an organization's response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization's profitability, reputation, or ability to operate. (DRJ Editorial Advisory Board, 2005)
Crisis Management Team: A crisis management team will consist of key executives as well as key role players (i.e. media representative, legal counsel, facilities manager, disaster recovery coordinator, etc.) and the appropriate business owners of critical organization functions. (DRJ Editorial Advisory Board, 2005)
Damage Assessment: An appraisal or determination of the effects of the disaster on human, physical, economic, and natural resources. (NFPA, 2004, Section 3.3.2, p. 1600-4)
Disaster: A sudden, unplanned calamitous event causing great damage or loss as defined or determined by a risk assessment and business impact analysis; 1) Any event that creates an inability on an organizations part to provide critical business functions for some predetermined period of time. 2) In the business environment, any event that creates an inability on an organization’s part to provide the critical business functions for some predetermined period of time. 3) The period when company management decides to divert from normal production responses and exercises its disaster recovery plan. Typically signifies the beginning of a move from a primary to an alternate location. Similar terms: Business Interruption; Outage; Catastrophe. (DRJ Editorial Advisory Board, 2005)
Disaster/Emergency Management Program: A program that implements the mission, vision, and strategic goals and objectives as well as the management framework of the program and organization. (NFPA, 2004, Section 3.3.3, p. 1600-4)
Disaster Recovery Planning: The technological aspect of business continuity planning. The advance planning and preparations that are necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of disaster. Similar terms: Contingency Planning; Business Resumption Planning; Corporate Contingency Planning; Business Interruption Planning; Disaster Preparedness. (DRJ Editorial Advisory Board, 2005)
Emergency: An unexpected actual or impending situation that may cause injury, loss of life, destruction of property or cause the interference, loss or disruption of an organization’s normal business operations to such an extent that it poses a threat. (DRJ Editorial Advisory Board, 2005)
Emergency Management/Emergency Planning: “When disasters threaten or strike a jurisdiction, people expect elected leaders to take immediate action to deal with the problem. The government is expected to marshal its resources, channel the efforts of voluntary agencies and private enterprise in the community, and solicit assistance from outside the jurisdiction if necessary. In all states and most localities, that popular expectation is given force by statute or ordinance. Governments can discharge their emergency management responsibilities by taking four interrelated actions: mitigation, preparedness, response, and recovery. A systematic approach is to treat each action as one phase of a comprehensive process, with each phase building on the accomplishments of the preceding one. The overall goal is to minimize the impact caused by an emergency in the jurisdiction.” (FEMA, 1996, p. 12)
Five Phases of Emergency Management:

  1. Prevention (proposed language): Activities taken to avoid or to stop a disaster/emergency from occurring.

  2. Preparedness (Section 3.3.9): Activities, programs, and systems developed and implemented prior to a disaster/emergency that are used to support and enhance mitigation of, response to, and recovery from disasters/emergencies.

  3. Response (Section 3.3.11): In disaster/emergency management applications, activities designed to address the immediate and short-term effects of the disaster/emergency.

  4. Recovery (Section 3.3.10): Activities and programs designed to return conditions to a level that is acceptable to the entity.

  5. Mitigation (Section 3.3.7): Activities taken to eliminate or reduce the probability of the event, or reduce its severity or consequences, either prior to or following a disaster/emergency.

(NFPA, 2004, p.1600-4)
Gap Analysis: A survey whose aim is to identify the differences between BCM/Crisis Management requirements (what the business says it needs at time of an event and what is in place and/or available. (DRJ Editorial Advisory Board, 2005)
Hazard: A natural, technological or social phenomenon that threatens human lives, livelihoods, land use, property or activities. Some hazards may result in a single disaster impact, others are recurrent on a regular (i.e., seasonal) or irregular (random) cycle. The majority are recurrent rather than unrepeatable events. Many types of hazard impact can be characterized by a magnitude-frequency relationship in which the larger the impact the lower its frequency of occurrence. (Alexander, 2002, p. 312)
Hazard or Threat Identification: The process of identifying situations or conditions that have the potential to cause injury to people, damage to property, or damage to the environment. (DRJ Editorial Advisory Board, 2005)
Incident: An event, series of events, or set of circumstances that interrupts normal operating procedures and has the potential to precipitate an emergency or crisis. (Gillis, 1996, p. 4)
Incident Response: The response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to bring an organization to a more stable status. (DRJ Editorial Advisory Board, 2005)
Mission-Critical Application: An application that is essential to the organization’s ability to perform necessary business functions. Loss of the mission-critical application would have a negative impact on the business, as well as legal or regulatory impacts. (DRJ Editorial Advisory Board, 2005)
Operational Risk: The risk of loss resulting from inadequate or failed procedures and controls. This includes loss from events related to technology and infrastructure, failure, business interruptions, staff related problems, and from external events such as regulatory changes. (DRJ Editorial Advisory Board, 2005)
Risk Assessment/Analysis: Process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event. (DRJ Editorial Advisory Board, 2005)
Risk Categories: Risks of similar types are grouped together under key headings, otherwise known as ‘risk categories’. These categories include reputation, strategy, financial, investments, operational infrastructure, business, regulatory compliance, outsourcing, people, technology and knowledge. (DRJ Editorial Advisory Board, 2005)
Risk Mitigation: Implementation of measures to deter specific threats to the continuity of business operations, and/or respond to any occurrence of such threats in a timely and appropriate manner. (DRJ Editorial Advisory Board, 2005)
Scenario: A pre-defined set of Business Continuity events and conditions that describe, for planning purposes, an interruption, disruption, or loss related to some aspect(s) of an organization’s business operations to support conducting a BIA, developing a continuity strategy, and developing continuity and exercise plans. Note: Scenarios are neither predictions nor forecasts. (DRJ Editorial Advisory Board, 2005)

Stakeholder: “Although there are several ways to classify stakeholders, the most common method is as follows:”

Financial Stakeholders


Financial institutions (suppliers of capital)


The Product/Market Stakeholders

Primary customers

Primary suppliers



Government agencies

Local government committees
Organizational Stakeholders

Executive officers

Board of Directors

Employees in general


(Kerzner, 2001, p. 5)

Strategic Planning: The process by which the guiding members of an organization envision its future and develop the necessary procedures and operations to achieve that future. (Goodstein, Nolan & Pfeiffer, 1993, p. viii)
Strategy: Strategy is about positioning an organization for sustainable competitive advantage. It involves making choices about which industries to participate in, what products and services to offer, and how to allocate corporate resources. Its primary goal is to create value for shareholders and other stakeholders by providing customer value. (de Kluyver and Pearce, 2003, p. 1)
System: A set or arrangement of things so related or connected as to form a unity or organic whole. (Neufeldt, 1994, p. 1359)
Workaround Procedures: Interim procedures that may be used by a business unit to enable it to continue to perform its critical functions during temporary unavailability of specific application systems, electronic or hard copy data, voice or data communication systems, specialized equipment, office facilities, personnel, or external services. (DRJ Editorial Advisory Board, 2005)



Interest continues to grow in the fields of emergency management and business continuity (together referred to as contingency planning). The Department of Homeland Security (DHS) encourages organizations to be prepared for anything that may happen. Though much of DHS’s focus since 2001 has been on terrorism, the multiple hurricanes, earthquakes, floods, and other disasters in 2005 re-focused the country’s attention on natural disaster preparedness. A contingency planner needs to know how personnel, facilities, assets and resources will be impacted by disaster and what will be needed in order to prepare for, respond to and recover from the disaster more quickly. Once the factors are identified and documented, planners can prepare for and mitigate in advance, or at least know more readily what may need fixing after the fact. In order to do all this, contingency planners need to understand the organization's current structure and what has been projected for the future. Contingency planners must look at the organization in terms of a system, with many interrelated parts. “Inefficiencies in planning translate very easily into loss of life, injuries or damage that could have been avoided” (Alexander, 2002, p. 5).

Strategic planners look at both short- and long-range issues and help organizations develop a roadmap for the future. Markets, competitors and products are emphasized; other resources are analyzed in terms of how they support those items. Some threat analysis is done; however, the focus in strategic planning is narrower than that of contingency planners. Risks such as a drop in market share or a change in a popular product may be analyzed. Sometimes, loss of an important customer is considered. Strategic planners may not be aware of, or have access to, the additional threat and risk analysis information that contingency planners consider when developing continuity plans. “The most important contribution that contingency planning can make to an organization is the development of a process for identifying and responding to unanticipated or less-likely events” (Goodstein, et al., 1993, p. 310).

An Internet search in July 2005 of major U.S. business schools revealed that none of the MBA programs had core or elective classes in either business continuity or emergency management, though they had many courses dealing with strategy and marketing. And, very little literature is available to show how contingency planning can be integrated into the strategic planning process. However, current thinking in the field suggests that contingency planning should be viewed as a strategic initiative to increase stakeholder value. “Understanding vulnerabilities, surveying global risks, and implementing safeguards and contingency plans are not just about avoiding the costs of disaster. By integrating risk management into strategic planning, companies can turn smart risk-taking into a competitive advantage” (Laudicina, 2005, p. 196).

Planning is a forward-thinking process. No one can accurately predict the future, so best guesses are made based on previous information and studies of recent events. The process of scenario futuring assists in the strategic planning process by allowing planners to simulate multiple outcomes based on the same basic inputs and a study of emerging trends. By varying the inputs to some degree and examining the resulting stories, an organization may find ways to better survive, no matter what the future holds.

Emergency Management

Modern emergency management developed from the civil defense and civil protection efforts that began in the 1940s to protect civilians against the effects of warfare and nuclear exchange. In the 1970s, the field expanded to include response to disasters caused by natural, technological and human forces (Alexander, 2002, p. ix). Examples of natural events are earthquakes, hurricanes, and floods. Technological events include dam failures, hazardous materials release, and structural collapse. A human-caused event could be a terrorist act, such as flying a jet into a building; launching a destructive computer virus; or blowing up a bus.

Emergency management has traditionally been viewed as a four-phase approach: preparedness, response, recovery and mitigation. In 2004, the Department of Homeland Security recommended a change to five phases: prevention, preparedness, response, recovery and mitigation. Prevention, preparedness and mitigation are closely related. They all deal with the concept of eliminating or at least minimizing impacts of a disaster or incident. Prevention relates to making more informed decisions, such as determining where earthquake faults and flood plains are in order to avoid building in those areas. Prevention can also take the form of increased security measures on a property. Preparedness is used commonly in reference to educating and training residents or personnel, pre-planning, and identifying resources in advance. Mitigation can be carried out before or after an incident. Strapping down equipment, installing hurricane clips on roofs, and building storm shelters are all examples of mitigation. Implementing any of these phases involves money and time, so they may be given insufficient attention in some organizations.

Response generally refers to the immediate actions taken after an incident to save lives and protect assets. Lessening or eliminating subsequent impacts also falls in this category, such as putting out a fire in one building before it spreads to an area filled with explosives or cleaning up a hazardous material spill before it causes more contamination of the environment. Recovery starts almost immediately with response and includes the clean up and return to normal, or better than normal. Recovery can be a short or long process depending upon the incident. If an organization has to recover from a major fire, for example, the recovery process may include extensive, lengthy medical treatment for victims, interactions with insurance companies and fire inspectors, or closing a site and relocating the entire business.

In the past, there were no national or international emergency management standards adopted by all organizations to detail specifically what is required in order to have a successful emergency management program. This situation is rapidly changing, however. In the United States, the 2004 National Response Plan (NRP), as well as Homeland Security Presidential Directives (HSPD) 5 (2003) and HSPD 8 (2003), expanded the roles and responsibilities of federal, state and local organizations. The National Response Plan (Department of Homeland Security, 2004) specified that:

The purpose of the NRP is to establish a comprehensive, national, all-hazards approach to domestic incident management across a spectrum of activities including prevention, preparedness, response, and recovery. The NRP incorporates best practices and procedures from various incident management disciplines—homeland security, emergency management, law enforcement, firefighting, hazardous materials response, public works, public health, emergency medical services, and responder and recovery worker health and safety—and integrates them into a unified coordinating structure. (p.2)

The NRP also addressed the private sector and encouraged that sector to follow governmental guidelines:

Private-sector owners and operators, particularly those who represent critical elements of infrastructure or key resources whose disruption may have national or major regional impact, are encouraged (or in some cases required under law) to develop appropriate emergency response and business continuity plans and information-sharing and incident-reporting protocols that are tailored to the unique requirements of their respective sector or industry, and that clearly map to regional, State, and local emergency response plans and information-sharing networks. (p.x)

Download 432.42 Kb.

Share with your friends:
  1   2   3   4   5

The database is protected by copyright © 2022
send message

    Main page