A contingency plan, or alternate plan, also known colloquially as Plan B, is a plan devised for an outcome other than in the usual (expected) plan.[1] It is often used for risk management for an exceptional risk that, though unlikely, would have catastrophic consequences.
Contingency plans are often devised by businesses or governments. There are five steps of implementing contingency plan, which are organize a planning team, assess the scope of the problem, develop a plan, test the plan, and keep the plan up-to-date.[2] For example, if many employees of a company are traveling together on an aircraft which crashes, killing all aboard, the company could be severely strained or ruined by such a loss. Therefore, many companies have procedures to follow in the event of such a disaster. The plan may also include standing policies to mitigate a disaster's potential impact, such as requiring employees to travel separately or limiting the number of employees on any one aircraft. Effective contingency planning can increase organizational resilience in the workplace.
During times of crisis, contingency plans are often developed to explore and prepare for any eventuality. During the Cold War, many governments made contingency plans to protect themselves and their citizens from nuclear attack. Examples of contingency plans designed to inform citizens of how to survive a nuclear attack include the booklets Survival Under Atomic Attack, Protect and Survive, and Fallout Protection, which were issued by the British and American governments. Today there are still contingency plans in place to deal with terrorist attacks or other catastrophes.
In the United States, all HAZMAT operations require contingency plans. The United States Environmental Protection Agency, through RCRA and EPCRA, has defined specific formats for Local Emergency Planning and the National Contingency Plan.[4]
Contingency planning is mandated by several regulatory frameworks, particularly in sectors where service disruptions can endanger public safety or compromise sensitive data.
In the United States healthcare sector, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities and business associates to establish and implement contingency plans for responding to emergencies or other occurrences that damage systems containing electronic protected health information (45 CFR 164.308(a)(7)).[5] The standard includes five implementation specifications: a data backup plan, a disaster recovery plan, an emergency mode operation plan, testing and revision procedures, and an applications and data criticality analysis. The December 2024 Notice of proposed rulemaking (NPRM) to overhaul the HIPAA Security Rule would strengthen contingency planning requirements by mandating restoration of critical systems within 72 hours following a disruption, reflecting lessons from incidents such as the 2024 Change Healthcare cyberattack that disrupted healthcare operations nationwide for weeks.[6]
The National Institute of Standards and Technology (NIST) SP 800-34, Contingency Planning Guide for Federal Information Systems, provides detailed guidance on developing contingency plans for federal systems, including business impact analysis, recovery strategies, and plan testing.[7] The Federal Financial Institutions Examination Council (FFIEC) requires financial institutions to maintain business continuity plans that address cyber-related disruptions and ensure recovery of critical operations within established timeframes.[8]
^Snedaker, Susan (2014). Business continuity and disaster recovery planning for IT professionals. Chris Rima (2nd ed.). Waltham, MA: Syngress. ISBN978-1-299-85332-4. OCLC858657442.
