# Contingency plan

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Contingency_plan
> Markdown URL: https://mediated.wiki/source/Contingency_plan.md
> Source: https://en.wikipedia.org/wiki/Contingency_plan
> Source revision: 1345754110
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{Use American English|date=November 2019}}
{{Short description|Plan in case something unexpected occurs}}
A '''contingency plan''', or '''alternate plan''', also known colloquially as '''Plan B''', is a plan devised for an outcome other than in the usual (expected) plan.<ref>{{cite web|url=http://www.merriam-webster.com/dictionary/contingency |title=Definition in the websters dictionary |publisher=Merriam-webster.com |access-date=2014-01-19}}</ref> It is often used for [risk management](/source/risk_management) for an exceptional risk that, though unlikely, would have catastrophic consequences.

==Use==
Contingency plans are often devised by [business](/source/business)es or [government](/source/government)s. There are five steps of implementing contingency plan, which are organize a planning team, assess the scope of the problem, develop a plan, test the plan, and keep the plan up-to-date.<ref>{{Cite book |last=Snedaker |first=Susan |title=Business continuity and disaster recovery planning for IT professionals |date=2014 |publisher=Syngress |others=Chris Rima |isbn=978-1-299-85332-4 |edition=2nd |location=Waltham, MA |oclc=858657442}}</ref> For example, if many employees of a company are traveling together on an aircraft which crashes, killing all aboard, the company could be severely strained or ruined by such a loss. Therefore, many companies have procedures to follow in the event of such a disaster. The plan may also include standing policies to mitigate a disaster's potential impact, such as requiring employees to travel separately or limiting the number of employees on any one aircraft. Effective contingency planning can increase [organizational resilience](/source/Workplace_resilience) in the workplace.

During times of crisis, contingency plans are often developed to explore and prepare for any eventuality. During the [Cold War](/source/Cold_War), many governments made contingency plans to protect themselves and their citizens from [nuclear attack](/source/Nuclear_warfare). Examples of contingency plans designed to inform citizens of how to survive a nuclear attack include the booklets ''[Survival Under Atomic Attack](/source/Survival_Under_Atomic_Attack)'', ''[Protect and Survive](/source/Protect_and_Survive)'', and ''[Fallout Protection](/source/Fallout_Protection)'', which were issued by the British and American governments. Today there are still contingency plans in place to deal with [terrorist attack](/source/terrorist_attack)s or other catastrophes.

The [National Institute of Standards and Technology](/source/National_Institute_of_Standards_and_Technology) has published a contingency planning guide for [information technology](/source/information_technology) systems.<ref>{{cite web|url=http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf |title=NIST IT Contingency Planning Guide |access-date=2014-01-19}}</ref>

In the United States, all [HAZMAT](/source/HAZMAT) operations require contingency plans. The [United States Environmental Protection Agency](/source/United_States_Environmental_Protection_Agency), through RCRA and EPCRA, has defined specific formats for Local Emergency Planning and the National Contingency Plan.<ref>{{Cite web |url=https://www.epa.gov/aboutepa/national-contingency-plan-superfund-announced |archive-url=https://web.archive.org/web/20140422225010/http://www2.epa.gov/aboutepa/national-contingency-plan-superfund-announced |url-status=dead |archive-date=April 22, 2014 |title=Contingency Planning {{!}} Superfund {{!}} US EPA}}</ref>

== Regulatory requirements ==
Contingency planning is mandated by several regulatory frameworks, particularly in sectors where service disruptions can endanger public safety or compromise sensitive data.

In the United States healthcare sector, the [Health Insurance Portability and Accountability Act](/source/Health_Insurance_Portability_and_Accountability_Act) (HIPAA) Security Rule requires covered entities and [business associate](/source/business_associate)s to establish and implement contingency plans for responding to emergencies or other occurrences that damage systems containing [electronic protected health information](/source/electronic_protected_health_information) (45 CFR 164.308(a)(7)).<ref>{{cite web |title=Security Standards: Administrative Safeguards |url=https://www.hhs.gov/hipaa/for-professionals/security/guidance/administrative-safeguards/index.html |publisher=U.S. Department of Health and Human Services |access-date=2026-03-27}}</ref> The standard includes five implementation specifications: a data backup plan, a disaster recovery plan, an emergency mode operation plan, testing and revision procedures, and an applications and data criticality analysis. The December 2024 [Notice of proposed rulemaking](/source/Notice_of_proposed_rulemaking) (NPRM) to overhaul the HIPAA Security Rule would strengthen contingency planning requirements by mandating restoration of critical systems within 72 hours following a disruption, reflecting lessons from incidents such as the 2024 [Change Healthcare cyberattack](/source/2024_Change_Healthcare_cyberattack) that disrupted healthcare operations nationwide for weeks.<ref>{{cite web |title=HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information |url=https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information |work=Federal Register |date=2025-01-06 |access-date=2026-03-27}}</ref>

The [National Institute of Standards and Technology](/source/National_Institute_of_Standards_and_Technology) (NIST) [SP 800-34](/source/NIST_Special_Publication_800-34), ''Contingency Planning Guide for Federal Information Systems'', provides detailed guidance on developing contingency plans for federal systems, including business impact analysis, recovery strategies, and plan testing.<ref>{{cite web |title=SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems |url=https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final |publisher=National Institute of Standards and Technology |date=May 2010 |access-date=2026-03-27}}</ref> The [Federal Financial Institutions Examination Council](/source/Federal_Financial_Institutions_Examination_Council) (FFIEC) requires financial institutions to maintain business continuity plans that address cyber-related disruptions and ensure recovery of critical operations within established timeframes.<ref>{{cite web |title=Business Continuity Management |url=https://www.ffiec.gov/guidance.htm |publisher=Federal Financial Institutions Examination Council |access-date=2026-03-27}}</ref>

== See also ==
{{Portal|Business and economics}}
* {{annotated link|CERT Coordination Center|CERT}}
* {{annotated link|Computer security}}
* {{annotated link|Fail-safe}}
* {{annotated link|Information assurance}}
* {{annotated link|Information security}}
* {{annotated link|Risk}}

==References==
{{reflist}}

==External links==
*[http://www.acp-international.com/ Association of Contingency Planners]

{{Occupational safety and health}}
{{Underwater diving|divsaf}}
{{Authority control}}

Category:Civil defense
Category:Emergency management
Category:Home front
Category:IT risk management
Category:Military terminology

---
Adapted from the Wikipedia article [Contingency plan](https://en.wikipedia.org/wiki/Contingency_plan) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Contingency_plan?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
