Business Continuity Planning: How Much Is Right for You?

The elaborate machinations that USAA goes through in developing and testing its contingency plans might strike the average CSO as a bit over the top. After all, HazMat training and an evacuation plan for 20,000 employees is not a necessity for every company. Like much of security, the issue of continuity planning comes down to basic risk management: How much risk can your company tolerate, and how can that risk can be effectively mitigated?

In planning for the unexpected, companies have to weigh the risk versus the cost of creating such a contingency plan. It's a trade-off that Pete Hugdahl, USAA's assistant vice president of security, frequently confronts. "It gets really difficult when the cost factor comes into play," he says. "Are we going to spend $100,000 to fence in the property? How do we know if it's worth it?"

Andmake no mistakethere is no absolute answer. Whether you spend the money or accept the risk is an executive decision. However, USAA has found that testing your plan is an inexpensive and important step.

Here's a contingency planning toolkit:

  • Develop and practice a contingency plan that includes a succession plan for your CEO.
  • Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency won't always be available.
  • Consider creating offsite crisis meeting places for top executives.
  • Make sure average employees—as well as executives—re involved in the exercises so that they get practice in responding to an emergency and following orders in chaos.
  • Make exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation gets stressful.
  • Practice crisis communication with employees, customers and the outside world.
  • Invest in an alternate means of communication in case the phone networks go down.
  • Form partnerships with local emergency response groupsfirefighters, police and EMTsto establish a good working relationship. Let them become familiar with your company and site.
  • Evaluate your company's performance during each test, and make changes to ensure constant improvement. Continuity plans should reveal weaknesses.
  • Regularly test your continuity plan to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

Copyright © 2002 IDG Communications, Inc.

The 10 most powerful cybersecurity companies