Contract-based contingency planning - SOPIVA

Products and services are nowadays produced in networks consisting of several players. The entire network's capability to function is improved by developing the operational reliability of each organisation included in the network. The recommendations for operational continuity management have been prepared in cooperation between business enterprises and public organisations.

The Council for Security of Supply and Infrastructure encourages different organisations to comply with the SOPIVA (contract-based contingency planning) recommendations in their own operations and include these recommendations in the agreements they make.

SOPIVA recommendations work best when agreeing on:

  • Cooperation partnership or strategic partnership
  • Long-term or continuous operations
  • Commodities or factors of production critical from the viewpoint of one's company
  • Such commodities whose production problems are immediately visible in your own operations

Help in preventing disruptions and recovering from them

The aim of the recommendations concerning operational continuity management is to improve operational preconditions of companies and public organisations and to ensure the continuity of their operations also during possible disruptions. By complying with the recommendations, organisations can develop their capacity to prevent possible operational disruptions, reduce the effects of possible disruptions on operations, and speed up recovery from the effects of disruptions.

Preparing for disruptions by means of continuity planning means better operational reliability.

The SOPIVA recommendations, 28 in total, are the best practices collected by representatives of industry. By complying with these recommendations, companies and government organisations are able to prepare for threats in exceptional circumstances and disruptions in normal conditions.

In both situations, the consequences experienced by companies are often similar, only the cause of the disruption may vary. A great number of the recommendations are already in use in companies as procedures for risk management. Thus, adopting them does not cause any significant extra work or costs.

The recommendations are also a flexible way of managing risks. The recommendations can be adopted gradually according to companies' own schedules and supplemented in the course of time. The recommendations do not have to be perfect when they are adopted. The most important thing is that organisations continuously develop their operational reliability in order to minimise disruptions.

Download SOPIVA brochure (pdf, in Finnish)

Examples and tools

The SOPIVA recommendations have been prepared so that it is possible to apply them in different companies and organisations. The text style of the recommendations is very generic. This enables companies to specify and describe in more detail how the recommendations are applied in practice.

FICORA has made specifications and examples of the procedures and the tools with which each SOPIVA recommendation can be utilised in companies.

Companies can, if they so wish, use these examples when implementing recommendations or create new tools of them for utilising the recommendations. However, companies assess and decide themselves what is a sufficient proof of the application of the recommendations.

It is also possible to use the SOPIVA recommendations when assessing the risks of different suppliers as cooperation partners. For this purpose, FICORA has created an Excel table in which more precise assessment targets can be defined for each recommendation and assess how they are implemented in the operations of a cooperation partner.

Streamlined SOPIVA for small and medium-sized companies

Small and medium-sized companies may often think that the SOPIVA recommendations are excessive and difficult to implement. The streamlined version of SOPIVA is meant for companies whose risk management processes are still under development or who otherwise reckon that the basic SOPIVA process is too heavy to be used for their operations.

The streamlined SOPIVA contains a dozen simple recommendations whose adoption in companies can significantly improve operational reliability in case of disruptions. You can print the streamlined SOPIVA and hang it on the wall at your place of business.

Sample statements for agreements

Companies' operational reliability can be developed, for example, by requiring that all partners in the network comply with the recommendations concerning operational continuity management in new procurement or partnership agreements. This concerns both the actual agreement partners and their subcontractors and other network partners.

The purpose of the sample statements is to make the use of the recommendations in agreements easier. The sample statements for agreements are included, as one clause of an agreement, in the actual cooperation agreement or other long-term agreement. The actual SOPIVA recommendations, which are intended for operational continuity management, can be annexed to an agreement.

Sample statements ready to be used:

Continuity planning

Companies' preparedness for the management of operational disruptions both in normal circumstances and in exceptional circumstances is often called continuity planning. The public sector implements contingency planning in the event of exceptional circumstances referred to in law, whereas the companies under the contingency planning obligation implement their own contingency planning.

The threats and the risks related to the operations of an organisation, as well as the procedures for protecting against them and for minimising their impact, are, however, assessed and planned in advance in all of these plans.

The SOPIVA recommendations are one part of continuity planning. A particular purpose of the recommendations is preparing for the management of disruptions independent of companies' own operations. When assessing a company's own preparedness to act during severe disruptions, the company's operations must be planned by means of different continuity management measures.

These measures can be targeted, for example, at the personnel, premises, production equipment, availability of important raw material, energy supply, information systems, telecommunications, logistics, or the environment.

Key words: Information security , Internet , Automation system , Risk management

Updated 31.10.2017

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248