The risk management approach to the security of computer-based systems involves a professional examination of all risks and possible defensive actions, an independence that counteracts vested interests, and skills and information that cannot be implanted in every line manager. Risk management also includes a central position that permits a view across department and company boundaries and an acceptance that policy decisions and overall responsibility rest firmly with top management. Prime security measures are designed to reduce the chance of peril striking at one of the system's component parts. Prime security anticipates the peril, while contingency planning is designed to recover the system after disaster strikes. Its first objective is to restore the system to working order, while its second objective is to have appropriate fall-back facilities. The paper reviews the actions needed for successful recovery and fall-back. It emphasizes the need to consolidate all the defensive strands and analyzes the factors of cost, availability, and timescales influencing the decisionmaking process. Discussion also focuses on the role of emerging shared standby centers and the role of insurance in planning for security. No references are cited.