IB Business Crisis Management Contingency Planning

When Everything Goes Wrong: Crisis Management & Contingency Planning (HL)

It's a perfectly normal Friday morning in July 2024. Millions of people are trying to board flights, check into hospitals, use their bank cards, and watch live TV. Then, suddenly - everything stops working. Screens everywhere flash the same terrifying blue message. The dreaded Blue Screen of Death.

This wasn't a movie. This was the CrowdStrike outage of July 19th, 2024 - one of the largest IT failures in history. A single faulty software update from a cybersecurity firm called CrowdStrike knocked out approximately 8.5 million Windows devices across the globe. Airlines cancelled thousands of flights. The NHS in the UK scrambled. Supermarkets couldn't process payments.

Delta Air Lines alone lost an estimated $500 million in just a few days.

So here's the question that every IB Business Management examiner loves to ask: how do businesses actually survive moments like this - and what separates the ones that do from the ones that don't?

What we are covering today might be one of the most real-world useful things you study in the entire course.

What Is a Crisis?

Before we get into the topic, let's get the definition sorted. A crisis in business is basically any event that seriously threatens a company's ability to operate - and potentially its survival. We're talking:

• Financial meltdowns

• Economic recessions

• Severe weather (floods, storms, wildfires)

• Power failures

• Major product recalls

• Outbreaks of infectious diseases (sound familiar?)

• Fires

• Employees going on strike

• Natural disasters

Some of these you can see coming a mile off. Others hit you like a summer storm - completely out of nowhere.

Crisis Management vs. Contingency Planning

These two terms may sound similar, but they are not the same thing, and mixing them up in an exam is an easy way to lose marks.

• Contingency planning is what you do before anything goes wrong. It's the business equivalent of putting a spare tyre in your car before you get a puncture on the motorway. Key term: Prevention.

• Crisis management is what you do when everything has already gone sideways. It's the frantic call to a breakdown service at 11pm in the rain.

More formally:

Crisis management is the response taken by a business in the event of an actual crisis occurring.

Contingency planning is the development of predetermined strategies to deal with a crisis, should it ever occur.

Contingency planning involves things like scenario planning - basically asking "what if?" questions. What if our factory floods? What if our main supplier goes bust? What if a virus takes down our entire IT system? (CrowdStrike clients who had decent contingency plans recovered much faster than those who didn't.)

Crisis management, on the other hand, is live, reactive, and high-pressure. There's no script - or rather, the script should have been written in advance during contingency planning.

Four Factors That Make or Break Crisis Management

Not all businesses handle crises well. Some come out looking like heroes. Others - well, let's just say some PR teams have earned their salaries the hard way. The difference usually comes down to four key factors: transparency, communication, speed, and control.

1. Transparency

When a crisis hits, the temptation for many businesses is to go quiet, play it down, or - worst case - try to cover it up. This almost always makes things much worse.

Transparency is about being honest with your stakeholders - employees, customers, investors, the public - even when the truth is uncomfortable.

Here's a distinction you need to know for the exam:

• Quantifiable risks are financially measurable threats. Things like fire damage to a factory, theft of stock, or a road accident involving a company vehicle. You can put a number on these - insurance companies do it all the time.

• Unquantifiable risks are threats that are extremely difficult to measure - like the outbreak of a new infectious disease (hello, COVID-19) or a terrorist attack. These are so unpredictable and complex that you genuinely can't price them accurately.

The reason transparency matters more for unquantifiable risks? Because when something unprecedented happens, people are scared and confused. A business that steps forward and says "here's what we know, here's what we don't know, and here's what we're doing about it" earns trust. A business that goes silent earns suspicion.

IB Business Management Real-life example: When Johnson & Johnson's Tylenol products were tampered with in Chicago back in 1982 (yes, I Know this is an old one, but it's still the gold standard case study in crisis management), the company immediately recalled 31 million bottles, halted all advertising, and communicated openly with the public. They didn't know who was responsible, but they acted with total transparency. Result? They rebuilt consumer trust and Tylenol is still one of the best-selling pain relief brands in the US today.

Compare that to Boeing's handling of the 737 MAX crashes in 2018 and 2019. Two crashes. 346 people killed. Initial responses were slow, communications were unclear, and internal documents later revealed the company had known about software issues. The lack of transparency cost Boeing over $20 billion in settlements, fines, and lost orders - and the reputational damage is still being felt today.

2. Communication

Closely linked to transparency is communication - and specifically, getting the right message to the right people at the right time.

During a crisis, a business needs to contact:

• Emergency services (where relevant)

• Employees

• Insurers

• The media

• Customers and the wider public

Most large businesses have a dedicated PR (public relations) team whose job it is to manage exactly this. Think of them as the business's voice during a crisis - carefully crafting messages that are honest, reassuring, and strategically timed.

Communicating corporate social responsibility (CSR) during a crisis is also important. Even if the public doesn't need to know every detail, the business still needs to demonstrate that it is acting responsibly and ethically. How a company behaves during a crisis often shapes its reputation for years afterwards.

IB Business Management Recent Real-Life example: When the Francis Scott Key Bridge in Baltimore, USA collapsed in March 2024 after being struck by a cargo ship, the shipping company's crisis communications were under intense scrutiny. How quickly did they communicate? Who did they contact first? What were they saying publicly? These decisions had enormous legal and reputational consequences.

3. Speed

This one is simple: the faster you respond to a crisis, the better your chances of containing it.

A slow response means the crisis spreads - into the media, onto social platforms, into public consciousness - before you've had a chance to get ahead of it. And once a damaging narrative takes hold on social media? Good luck trying to de-escalate that situation.

Probably your textbook gives a brilliant example here: BP and the Deepwater Horizon oil spill in 2010. BP was painfully slow to respond, lost 3.19 million barrels of oil into the Gulf of Mexico, and was eventually fined a record-breaking $14 billion. But beyond the fine, the reputational damage was catastrophic. BP's share price dropped by more than 50% in the weeks following the spill.

Speed also matters for a subtler reason: it lets a business control the narrative. If you don't tell your story quickly, someone else will - and it probably won't be flattering.

This is especially true in the age of TikTok and Twitter/X, where a crisis can go viral in minutes. Any brand that's had a customer post a complaint video that racked up millions of views overnight will tell you: speed is non-negotiable.

4. Control

The final factor is control - and it works on two levels.

Firstly, having good contingency plans in place means businesses can maintain some control even when chaos hits. Knowing who does what, who makes decisions, and how resources are deployed means the response is organised rather than panicked.

Secondly, control is about preventing crises from happening in the first place. This is where quantifiable risks come in again - because if you can measure a risk, you can manage it. A warehouse that has regular fire safety checks, staff training, and sprinkler systems has more control over the risk of fire than one that does none of those things.

Selecting the right crisis management team is crucial here. You need people who are calm under pressure, experienced in decision-making, and trusted by both internal and external stakeholders.

Contingency Planning: The Pros and Cons

Okay, so contingency planning sounds amazing, right? Plan for every disaster in advance, sail through any crisis. Easy.

Well - not quite. Like everything in business, there are trade-offs.

Advantages of Contingency Planning

• Reduces risk and uncertainty - businesses are better prepared, which minimises panic and disorganisation when things go wrong

• Faster recovery - having a plan means response time is quicker, limiting damage

• Improves safety - both for employees and customers, especially in industries like aviation, healthcare, and manufacturing

• Can lower insurance costs - insurers often offer better rates to businesses with strong risk management frameworks

• Reassures stakeholders - investors, employees, and customers all feel more confident in a business that takes risk seriously

Disadvantages of Contingency Planning

• It's expensive - creating detailed plans, running simulations, and training staff all costs money

• It's time-consuming - senior management time spent on planning is time not spent on other priorities

• Plans can become outdated - the business environment changes, and plans need constant updating

• False sense of security - a business might rely too heavily on a plan that simply doesn't account for the actual crisis when it arrives

• Crises are unpredictable by nature - no matter how well you plan, the real thing rarely plays out exactly as rehearsed

Contingency plans help, but they can't eliminate uncertainty entirely. A crisis is - by definition - disruptive and costly. If it wasn't, it wouldn't be a crisis.

IB Business Management Real-Life Example: The Primark Fire (2023)

Here's a recent UK example worth knowing. In June 2023, a major fire broke out at a Primark store in Belfast's Bank Buildings - one of the most significant retail fires in Northern Ireland's recent history (the original fire was in 2018, with ongoing redevelopment - but fires affecting major retail chains have continued to feature in UK crisis management conversations).

More recently: Marks & Spencer's cyber attack in April 2025 brought the UK retailer to its knees. Online orders were suspended. Click-and-collect was halted. M&S faced weeks of disruption, losing an estimated £300 million in sales and seeing its share price drop significantly. Cyber security experts immediately questioned how prepared the company had been - and whether stronger contingency planning could have reduced the impact.

M&S's response - the speed of their communications, the transparency with customers, and the control they sought to regain - became a live case study in today's topic.

IB Business Management Exam Practice

Try these - they're in the style of IB Paper 3 questions:

Scenario: In April 2025, Marks & Spencer (M&S) suffered a major cyber attack that disrupted online shopping and Click & Collect services across the UK. The retailer suspended online orders for several weeks, communicated with customers via social media, and worked with cybersecurity authorities to contain the breach. M&S estimated losses in the hundreds of millions of pounds.

(a) Identify two stakeholder groups affected by the M&S cyber attack. [2 marks]

(b) Explain why a cyber attack can be considered a crisis for a retail business like M&S. [4 marks]

(c) Explain the importance of transparency and speed in M&S's crisis management response to the cyber attack. [4 marks]

(d) Evaluate the extent to which contingency planning could have reduced the impact of the crisis on M&S. [10 marks]

IB Business Management Summary Section

Crisis management and contingency planning aren't just theoretical concepts. They're the difference between a business that survives a disaster and one that becomes part of the disaster story.

The CrowdStrike outage, the M&S cyber attack, Boeing's 737 MAX nightmare - every one of these was a test of how well a business had prepared, and how well it responded when things went wrong. Some passed. Some failed.

The four factors - transparency, communication, speed, and control - are the actual playbook that businesses live or die by.

And next time something goes catastrophically wrong at a big company and it's all over the news? You'll know exactly what questions to ask.

Enjoyed this? Head over to the IB Business Management Activity Book for more IB Business Management resources, activities, and exam practice.

Exam Practice Model Answers - Crisis Management & Contingency Planning

Scenario recap: M&S suffered a major cyber attack in April 2025, disrupting online shopping and Click & Collect services. Online orders were suspended for several weeks. Losses estimated in the hundreds of millions of pounds.

(a) Identify two stakeholder groups affected by the M&S cyber attack. [2]

Two stakeholder groups affected by the M&S cyber attack are:

• Customers - who were unable to place online orders or use Click & Collect services during the disruption.

• Shareholders/investors - who experienced a decline in M&S's share price and faced uncertainty over the financial losses resulting from the attack.

(Other acceptable answers: employees, suppliers, creditors/lenders)

(b) Explain why a cyber attack can be considered a crisis for a retail business like M&S. [4]

A crisis is an event that seriously threatens the operations and potentially the survival of a business. A cyber attack qualifies as a crisis for M&S for the following reasons.

Firstly, the attack directly disrupted M&S's core revenue-generating operations. The suspension of online orders and Click & Collect services meant that M&S was unable to serve a significant portion of its customer base, resulting in estimated losses of hundreds of millions of pounds. This represents a major, sudden threat to the business's financial stability.

Secondly, a cyber attack creates a reputational crisis. Customers may lose trust in M&S's ability to protect their personal and financial data, which could lead to a long-term loss of customer loyalty. In the highly competitive UK retail market, reputational damage of this scale can have consequences far beyond the immediate financial losses.

Therefore, the combination of immediate operational disruption and longer-term reputational risk clearly qualifies the cyber attack as a crisis for M&S.

(c) Explain the importance of transparency and speed in M&S's crisis management response to the cyber attack. [4]

Transparency is the ethical obligation of a business to be honest and to inform stakeholders of the truth during a crisis. For M&S, being transparent with customers about the nature and scale of the cyber attack was essential to maintaining trust and goodwill. By communicating openly - for example, via social media - M&S demonstrated accountability, which can prevent further reputational damage. Stakeholders, including customers and investors, are generally more forgiving when a business is honest about its difficulties, particularly when the crisis - such as a cyber attack - was largely beyond its immediate control. Without transparency, rumour and misinformation risk filling the information vacuum, potentially worsening public perception.

Speed is equally critical, as a slow response allows the crisis to escalate. In M&S's case, a rapid response helped contain the operational disruption and signalled to stakeholders that the business was in control of the situation. Given the viral nature of social media, any delay in communicating or acting could have allowed a more damaging narrative to develop unchecked. A swift, decisive response also helps to limit the financial losses associated with the crisis by restoring normal operations as quickly as possible.

(d) Evaluate the extent to which contingency planning could have reduced the impact of the crisis on M&S. [10]

Contingency planning involves the development of predetermined strategies to deal with a crisis should it occur, including scenario planning and business continuity plans. In the context of M&S's 2025 cyber attack, there is a strong argument that better contingency planning could have reduced - though not eliminated - the impact of the crisis.

Arguments that contingency planning could have reduced the impact:

A well-developed cyber security contingency plan would have included simulation exercises - essentially rehearsing a cyber attack scenario before one actually occurred. This would have meant that M&S's IT and crisis management teams knew exactly what steps to take, reducing response time and limiting the operational disruption to online services. Speed is a critical factor in crisis management, and contingency planning directly supports a faster response.

Furthermore, contingency plans typically include business continuity measures - alternative systems or manual processes that can keep essential operations running even when primary systems fail. Had M&S invested in redundant server infrastructure or offline order management systems, the suspension of Click & Collect and online orders may have been avoided entirely, or at least significantly shortened. This could have reduced the estimated £300 million financial loss considerably.

Additionally, contingency planning would have included a communication strategy - pre-agreed messaging for stakeholders, a nominated spokesperson, and established channels for public communication. This would have reduced the risk of mixed messaging or delays in informing customers, helping to protect M&S's reputation during the crisis.

Arguments that contingency planning has its limits:

However, it is important to acknowledge that contingency planning cannot fully eliminate the impact of every crisis. Cyber attacks represent an unquantifiable risk - they are constantly evolving, highly sophisticated, and extremely difficult to predict or measure accurately. Even businesses with extensive cyber security contingency plans have suffered serious breaches; for example, the NHS has experienced repeated cyber incidents despite significant investment in risk management.

Contingency planning is also costly and time-consuming. For M&S, a major multi-channel retailer operating across hundreds of stores and a large e-commerce platform, developing and maintaining detailed contingency plans for every possible risk scenario would require significant financial and managerial resources. There is an opportunity cost involved - resources spent on planning cannot be spent on product development, store investment, or other strategic priorities.

Finally, contingency plans can become outdated. The tactics used by cyber criminals in 2025 may be entirely different from those anticipated when a plan was written two or three years earlier. A false sense of security created by an outdated plan can, in some cases, make a business less prepared than one that remained vigilant and adaptive.

Conclusion:

On balance, contingency planning would almost certainly have reduced the impact of the M&S cyber attack - particularly in terms of response speed, operational continuity, and stakeholder communication. However, it is unrealistic to suggest it could have prevented the crisis entirely. Cyber attacks are unquantifiable risks by nature, and no plan can fully anticipate every threat. The most effective approach for a business of M&S's scale is to invest in robust, regularly updated contingency plans combined with a strong real-time crisis management capability - recognising that preparation and response must work together, not independently.

Stay well,

Explore Topics:

IB Business Management Hub Page

IB Business Management Module 5 Operations Management Hub Page

IB Business Management Toolkit Page

IB Business Management Activity Book Page