What is Contingency Planning and How Does It Work?

All businesses, including financial institutions, deal with unexpected risks. Knowing how to deal with these surprises through contingency planning — particularly when they occur across internal operations, vendor systems, and other risk areas — is a critical component of business continuity management and overall business resiliency. 

Contingency planning is the process of preparing for unexpected events or disruptions that could impact your institution. It’s about recognizing risks (what could go wrong) and having clear, actionable steps ready to respond if they do. But how does a contingency plan work? What does it look like in action? Let’s explore the answers to these questions and more. 

Related: A Guide to Operational Resilience for Financial Institutions

Why contingency planning matters

Every financial institution (FI) faces risks, including natural disasters, information technology (IT) failures, cyber ransomware attacks, financial setbacks, and human errors. While they may be standalone incidents, the risks can quickly escalate into larger risks and impact other areas across your FI. For example, a vendor outage doesn’t just impact your institution’s operations — it affects customer service, compliance, risk, and so on. In 2023, a single ransomware attack at a third-party service provider affected more than 60 credit unions and hundreds of their members, who were unable to access their online and mobile banking solutions. 

A contingency plan is essentially a ‘Plan B’ when these types of events occur. It’s about preparing alternative strategies and procedures to quickly fill in the gaps, ensuring the FI can continue to operate and serve its customers and members.

Think of your financial institution as a ship. While the waters are calm, the watertight compartments built into the hull are unnoticed and unappreciated. However, when a storm comes, the same compartments — your contingency plan — seal off the damage, buying your “crew” precious time to respond, assess the situation, and decide on the correct course of action.

Contingency planning vs. business continuity  

While contingency planning and business continuity are related, they are distinct. 

Contingency planning is a targeted, tactical response — that Plan B designed to guide your organization through specific unexpected events. Business continuity, on the other hand, takes a more strategic, big-picture approach. It’s about ensuring the organization can continue operating — and recover quickly — when disruptions occur. That includes not just contingency plans, but also resilience, recovery strategies, cyber preparedness, and vendor management. 

In short, contingency planning is one part of a larger business continuity framework that focuses on keeping the organization running, regardless of the circumstances.

Related: What is Business Continuity for Financial Institutions?

What does a contingency plan look like? 

A well-structured contingency plan has one clear goal: to ensure your FI can respond quickly and cohesively when a disruption occurs.

Here’s what a contingency plan looks like in action:

• Critical systems and processes are identified. There’s no confusion about what items need to be prioritized.
• Response steps are already mapped out. Team members can move quickly to maintain or restore operations.
• Everyone knows their role. Responsibilities are pre-assigned to avoid scrambling during a disruption.
• Communication flows smoothly. Predefined channels keep staff, customers, and stakeholders informed about the latest updates and developments.
• Backup tools, facilities, or procedures are activated. Essential functions can continue even if primary resources fail.
• The plan has been tested. Team members aren’t left guessing what to do. They’re poised and prepared to tackle their tasks when needed. 

When a contingency plan is in place and ready to go, your institution isn’t just reacting; it’s responding with clarity, control, and purpose.

Contingency plan examples (Contingency Funding Plan and Natural Disaster Contingency Plan)

While most business continuity plans address the who, when, and how aspects, areas such as liquidity risk (which regulators have monitored more closely following recent bank failures) require more specialized contingency planning. 

For example, a Contingency Funding Plan (CFP) focuses on how an organization will manage funding shortfalls during periods of stress. A CFP should:

• Identify possible stress scenarios, both institution- and market-specific
• Estimate how much liquidity would be needed in each case
• Outline reliable funding sources
• Define escalation procedures
• Assign clear ownership
• Include monitoring indicators or triggers that would prompt action 

Natural disaster contingency plans also require specific elements. One focused on tornadoes would include:

• Shelter in place locations with emergency resources such as water, blankets, and medical kits
• Accounting for the whereabouts of staff (at impacted office, home, vacation, etc.)
• Alternatives for impacted services
• Damage assessments

Regular testing and board-approved oversight are also essential to ensure the plan is both practical and exam-ready. Contingency plans also cover other core areas, such as power outages, banking system failure, vendor breaches, and key personnel changes. 

Related: Is Your FI’s Contingency Funding Plan Exam Ready?

How do I create a contingency plan? 

Do you need to build a contingency plan or update an existing document? Follow these seven steps to create a practical and regulator-ready plan:

1. Start with a Policy Statement. Policies are governance tools. Your policy statement sets the foundation by outlining its purpose, scope, and the authority behind your plan. It clarifies who's responsible and why the plan matters.
2. Conduct a Business Impact Analysis. A BIA evaluates and analyzes the potential effects of an event. It helps identify which systems and processes are mission-critical so you can prioritize recovery efforts where they matter most.
3. Identify Preventive Controls. Think of these as safeguards that reduce the chance of disruptions in the first place. Examples include employee training, access controls, and firewalls. Strong controls not only increase system resilience but also lower the long-term cost of recovery.
4. Build Contingency Strategies. This is your recovery game plan. It should include clear, actionable steps for quickly restoring systems online after an incident, based on risk and impact.
5. Document the Contingency Plan. If it isn't documented, it didn't happen. Include detailed procedures for restoring operations, tailored to each system's recovery requirements and security level. Don't forget to include vendors as part of this plan.
6. Test and Train. Your contingency plan is only as good as your team's ability to use it. Regular testing shows whether it works, while training ensures staff know what to do when the time comes.
7. Maintain and Update. Contingency plans shouldn't collect dust. Review and update the plan regularly, especially after significant changes to your systems, vendors, or risk profile.

While risk isn't unavoidable, contingency planning can help your FI stay at ease, knowing you have the organization, resources, and strategy to overcome even the most challenging circumstances.

Contingency planning is an essential part of business continuity — and so is tabletop testing. Learn how to plan and facilitate a successful tabletop test in our upcoming webinar.