Most organizations do not spend any time even thinking about that, nor considering it in their decision processes, nor prepare for it. An organisation that do, will have an IT architecture. For example limiting exposure in the first place. For example, they might chose to not have have any servers with Windows in the first place. They might have a thin client or web oriented workflow for endpoint applications, which make switching out Windows easier on employee mdchines. They might have already have multiple OSes in use, to check that critical systems can be successfully accessed without Windows. That said, it is of course a big endeavour.