What's a Good Contingency Planning Process Under DORA?
Get Started

Graphite's supplier management tool helps you onboard faster, cut time on risk reviews and streamline supplier validations. Save time and money.

January 23 2025

What’s a Good Contingency Planning Process Under DORA?

By Kali Geldis

What’s your plan when disaster strikes? Because it’s not a question of “if”— it’s “when.” If it happens at your company, it could get expensive; according to IBM, the number of organizations paying over $50,000 in regulatory fines after a data breach rose 22.7% over the previous year, while those paying over $100,000 went up by 19.5%. 

Under the Digital Operational Resilience Act (DORA), financial services and critical suppliers are held to higher operational standards than ever before. If you’re not prepared for unexpected disruptions, your business risks non-compliance, reputation damage, and financial loss. 

This is especially important for procurement professionals to understand, as supplier performance and risk reviews may now include new components of contingency planning that require better and cleaner supplier data, as well as additional prescreened suppliers who can deliver in case a vendor is deemed non-compliant or has an outage.

When you establish a contingency planning process, you aren’t merely ticking regulatory boxes. You’re also building greater confidence, agility, and resilience in your operations. In this guide, we’ll break down what makes a contingency plan effective under DORA and how you can create one in 2025.

Understanding contingency planning in business

Contingency planning is your safety net. It allows your business to keep running even when the unexpected happens, whether that’s a major system failure, a data breach, or supply chain issues.

With DORA in place, businesses must rethink how they approach operational resilience. It’s not enough to react when something goes wrong. You need a proactive strategy to handle risks before they spiral out of control.

Take this as your first step: stop treating disruptions as rare anomalies. Instead, build a plan that assumes challenges will come. That’s the mindset shift DORA is pushing for, and it’s why your contingency planning process is so critical.

What is contingency planning in business?

A contingency plan is a structured approach to handling specific risks that threaten your operations. Here’s how it works in practice:

  • Scenario 1: A cybersecurity breach exposes sensitive customer data. Your plan should outline how to isolate the attack, protect your systems, and communicate transparently with stakeholders.
  • Scenario 2: A natural disaster disrupts your primary supplier. Your contingency plan must address alternative vendors, inventory management, and maintaining customer service.

The goal is to minimize disruption, recover quickly, and keep operations stable no matter what happens.

Why is contingency planning important after DORA?

Under DORA, contingency planning in business is a requirement for financial institutions and their critical suppliers. But what’s the real cost of skipping this process?

  • Revenue Loss: A single hour of downtime can cost thousands – if not millions – in lost revenue. For regulated businesses, those numbers climb even higher as customers lose trust and take their business elsewhere.
  • Reputation Damage: Customers expect reliability, especially in financial services. When your operations fail, their confidence plummets. A solid contingency plan makes sure you can deliver on your promises, even under pressure.
  • Compliance Penalties: Falling short of DORA’s standards can lead to high fines, regulatory scrutiny, and even legal consequences. Without a contingency plan, your business isn’t simply unprepared – it’s out of compliance.

DORA raises the stakes, but the benefits of planning go beyond regulation. It’s about staying resilient in an increasingly competitive marketplace. For more information, please review our guide on understanding DORA for businesses.

Business contingency plan vs. business continuity plan

It’s easy to confuse these two terms, but understanding their differences is important:

  • A contingency plan is focused on specific risks. It’s your game plan for handling discrete threats, like a system outage or a vendor failure.
  • A continuity plan ensures your business can keep running, even during a major disruption. It focuses on maintaining operations, regardless of what happens.

Think of them as two sides of the same coin. Your contingency plan handles the “What now?” while your continuity plan answers, “How do we keep going?” Together, they form a thorough resilience strategy.

How to make a contingency plan step-by-step

Building a contingency plan doesn’t have to be complicated. Follow these steps to create a strategy that’s practical, actionable, and aligned with DORA’s requirements.

Prioritize risks based on likelihood and severity

Start by identifying potential threats. Then, rank them based on:

  • Likelihood: How likely is this risk to occur?
  • Severity: How much damage could it cause?

Conduct a business impact analysis (BIA)

A BIA takes your risk assessment to the next level. It answers critical questions like:

  • Which processes are vital to your business?
  • How would a disruption affect revenue, compliance, or customer trust?
  • What dependencies exist between your teams, systems, and suppliers?

For example, if your payment processing system goes down, what’s the immediate financial impact? Mapping these dependencies ensures you understand where to focus your efforts.

Identify triggers that will put your contingency plan into action

Triggers should be clear, measurable, and actionable. Without them, your team might hesitate to act, losing precious time.

Examples of triggers include:

  • A system outage lasting longer than 15 minutes.
  • A vendor missing a critical deadline.
  • A cybersecurity breach detected by monitoring tools.

Define these thresholds in advance to eliminate confusion during a crisis.

Develop an appropriate response

Your plan must include specific responses for each risk. For instance:

  • If a vendor fails, your response might involve activating a pre-approved secondary supplier. This is especially critical for procurement leaders to understand and be prepared for under DORA. You may now need to have inactive, but pre-screened suppliers in your supplier database that can be activated quickly, not just from a technical perspective for the business, but for contracts, approvals and other onboarding hurdles. .
  • If a system goes offline, your IT team should have a checklist to restore functionality quickly.
  • The key is to make your response realistic, scalable, and easy to execute under pressure.

Delegate responsibilities clearly

When a crisis hits, who does what? Clear delegation is non-negotiable. Assign roles for every part of your plan, and make sure your team is trained to carry them out.

For example:

  • Assign a point person for supplier communications. This can be category managers or an assigned risk team member. In Graphite Connect, your company has no user limits and can assign specific roles and permissions so risk team members can be an extension of your procurement team as you communicate with suppliers.
  • Ensure IT knows how to manage system recovery.
  • Designate someone to handle customer updates if required..

Pro Tip: Regular drills and training sessions can help your team execute the plan smoothly.

Invest in contingency planning software

Managing risks manually is both outdated and inefficient. When you use an automated supplier relationship management platform like Graphite Connect, both efficiency and accuracy skyrocket. With Graphite, you can:

  • Automate risk assessments.
  • Monitor supplier performance in real time.
  • Centralize your data for easy access during a crisis.

The right software makes the contingency planning process more intuitive; you’ll save time, reduce errors, and have a clear view of risks and responses at every stage.

See how Graphite can power your contingency planning process under DORA

DORA compliance demands more than awareness – it also requires action. With Graphite Connect, the contingency planning process is simplified, helping you manage risks, monitor suppliers, and stay resilient in the face of challenges.

Why risk falling behind? With Graphite, you’ll always be one step ahead. Get started with Graphite Connect—book your demo today!