The classic and proper protection for a controller failure is to have a backup controller installed in your system. The cost of hardware has come down and the elimination of the cost of backup licensing through centralized licensing make physical controller redundancy attractive. With physical controller redundancy, it is possible that your users will not even know that there is a failure.
Now, onto your question:
For APs to be able to work without a controller, they must:
- Be configured as remote APS already
- Be serving an SSID that has a preshared key
- That SSID must be using bridge mode
To use bridge mode, the VLANs necessary for users must be trunked to each AP so that it will work when the controller is in and out of the picture. In this mode, no traffic goes through the controller; it only goes through the APS. This strategy was very popular before Instant APS, which do not require a controller, were created.
If you had to build a redundant network network today, I would suggest either Instant APS (which do not require a controller) or a backup controller along with a master controller.