Security’s Role in Contingency Planning

By Donald C. Sanford

As a Corporate Security Director or the Security Manager of a large company, what is your real role, defined or undefined, in your organization’s contingency, emergency, or recovery plan? Does your company even have a plan, is it required by state or federal law to have such a plan written, and who is responsible for the formulation and implementation of the plan? What is your responsibility and specific function within your organization? Are you responsible only for the physical security of your plant? Do you run a guard force that is all contract, in-house, or a combination of both? Are you, by virtue of the fact that nobody else wants it, also responsible for safety within your organization? What do all these questions have to do with security’s role in contingency (by any name) planning?
First of all, if your organization was atypical of the business world of the ’80s, contingency planning has been getting very little serious attention unless it is mandated by law, such as the financial institutions requirements under federal statute. However, due to a series of widely publicized natural disasters in recent years, most organizations are becoming aware enough of the recovery problems to give the matter at least lip service attention.
Enter the typical security operation. Since very few companies or corporations are going to create a new department for what they view as a manual writing function, the odds are very good that they will follow past practices and decide that since this doesn’t fit nicely into any existing niche, to “let security handle it.” Now you really have your work cut out for you. Let’s take a look at some of the unique problems (or challenges) facing you.
First and foremost, you have to establish whether your company is serious about contingency planning or if it is just looking for another book to put on the shelf. If your people are serious, you should have the backing of your senior manment. This backing must be made known throughout the organization. (If they are not serious, hire a consultant to write a manual and ignore the rest of this article.) The best way to have the backing publicized is to have your CEO or President make an announcement at the senior management meeting with instructions to spread the word and to give you all the support you require.
That puts everyone on notice and smooths a lot of roads for you.
You will still meet resistance when a specific time commitment is required from someone, but you will have a little leverage to apply.
Your next challenge will be to identify the critical departments of your company (this is done through a typical risk analysis) and determine what it will take either to keep them in business or to re-establish their business functionality after a disaster strikes.
Since you do not know precisely what it takes to make those departments a success, how do you decide what is required to continue or resume business? You don’t; you have each department do their own risk analysis and document what they need to survive and resume. Your role is that of a coordinator, mentor, mother, and bully.
You basically tell everyone what to do, when to do it, how to do it (in general terms), and when to have it done.
As you are doing this with the other departments within your organization, you are also completing your own departmental risk analysis and formulating a plan to cover any contingency. You must look objectively at your department, people, equipment and procedures to see whether they are adequate to support your company in a time of need.
If not, you must identify the shortcomings and eliminate them. If they are, you must next write your own departmental plan, review it, disseminate it, and most importantly, test it with your staff. Sounds simple, doesn’t it? It’s not, but it is possible.
Bear in mind, you’re doing this while continuing on with your day-to-day operation, which until this point you thought was a full-time job.
Having received full cooperation from all the departments within your company, you have a desk full of individual rough draft plans. What do you do next?
You schedule your favorite activity, a series of meetings, with all the principals. At the meetings, you and the department head will review the plan and fine tune it. You will also meet with all the principals together--after the fine-tuning--to consolidate the plans, eliminate redundancy and conflicts, and in general mesh all the pieces together into one usable plan.
Once this is done, you collate all these pieces into one manual and submit it to your senior management for their comments and approval. You also must have your legal department or representative review the whole plan to ensure that you are not going to accidentally open any libelous can of worms. The whole plan should be signed off by both senior management and legal as the final step before publication and distribution. Hopefully, since your senior management is backing the project, you will get a letter of support to use as an introduction page for the manual.
At last your job is done, right? Wrong, although a very important first step is completed, you have only begun. And, since you did such a good job on this, who better to continue with the project?
What happened here? They just wanted you to write a contingency plan for the company, and you did that. What they didn’t tell you up front is that contingency planning is really a PROCESS, not a project!
So what does that mean? In practical terms, it means that you now have job security. As the author, you will naturally be designated as the “keeper of the books” for the whole plan.
Let’s take a quick look at your own department, just to get an idea of what this means.
As with any good manager, you are constantly trying to upgrade and professionalize your staff. This means there will be some personnel changes through promotions, terminations, resignations, etc.
As your company grows, you will also have to expand your staff (didn’t you have to increase someone’s workload for the manual project?) just to meet the demands of the expansion.
This growth will change players on your organization chart, which will require changes in your departmental contingency plan. Who will record those changes and make sure that the new players both know about the plan and their role in it?
The “keeper of the books,” that’s who! When you multiply the number of changes you personally have to make by the number of departments in your company, you will get a vague idea of what I mean by job security.
All of these departments will be going through the same growing and stretching pains that you are, and somebody has to know about it, gather the information, make the update changes in the book, disseminate the information to all book holders and make sure that everyone concerned is aware of his or her roles and responsibilities in an emergency.
Additionally, no plan is any good unless it is tested. As the main mover in this whole process, you will be appointed to set up some sort of training or practice exercises for the components of the plan--probably first a table-top exercise by department, then a complete practice drill involving your whole company. What you’re looking at here is approximately two years worth of work before you can even think of having an integrated drill. Once again, job security. Of course, after each drill or exercise, whether it is one department, a section, or the whole company, there are critiques, discussions and changes to be made.
As these changes or improvements are made, the book has to be updated with the new information. Couple that with the internal organizational changes and you can see a whole new career for yourself.
What is Security’s role in contingency planning? The smart money says that contingency planning is the security challenge of the ‘90s and that as a company or corporate security manager your role will be a dominant one.
If your company is not already involved in contingency planning, bet that it soon will be, get a jump on the task now, do your homework, and prepare for that additional job security.

Donald C. Sanford, CPP, CDRP, is the Emergency Planning Coordinator for Great Western Financial Corporation, Chatsworth, CA, and a member of the Association of Contingency Planners (ACP).

This article adapted from Vol. 3 No. 4, p. 48.

Disaster Recovery Worldİ 1999, and Disaster Recovery Journalİ 1999, are copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole or part is prohibited without the express written permission form Systems Support, Inc.