Writing Dynamite Security Management Plans
Submitted February, 1999
- Security Management Plan
- Section A -- Executive Summary
- Section B -- Policy Section
- Section C -- Access Control Policies
- Section D -- Identification Policies
- Section E -- Security-Related Policies
- Section F -- Unit Security Policies
- Section G -- Security Department Policies
- Section H -- Documentation of Performance Standards
- Section I -- Documentation of Various Staff Tests
- Section J -- Documentation of Vulnerability Assessments
- Section K -- Statement of Authority and Approval
The Security Management Plan is a major focus of any quality oriented security
program. The key to any business or portion of business that wants to be a
total quality effort is the written policy. The purpose of the policy is to
put in writing what the organization agrees should be the baseline for any
function. The next thing the policy does is it serves as a method of communicating
to everyone else in the organization what is that acceptable behavior or level
of service. This is, of course, assuming that the organization has the appropriate
structure for Total Quality Management or Continuous Quality Improvement.
The third thing the policy does it provides a document that establishes a
training standard for everyone that needs to perform a particular function
or service level.
The purpose of describing the format of the Security Management Plan is to attempt to establish a standard as to format. It would literally be impossible to recommend any sort of what a Plan should include because of the major differences in organizations but the format can be somewhat standardized. The format used here is based on a document, first published in 1994, called the Management Plan Outline. This outline is designed to be used in the entire Environment of Care selection of disciplines as well by following the basic concepts.
Clearly, whether the format is used in a multi-facility organization or in a single facility organization, the format across that entity should be the same. The reason this should be a major focus is because it will show that people are communicating with one another. If there are several different formats across a single organization it would show that people are not communicating with one another. While I am speaking primarily to healthcare professionals under Joint Commission Survey requirements. This should also be the format used by any organization.
The format discussed here is structured to be provided in a three ring binder using tabs either 1- or if using letters A-. The actual structure of the book should follow the intent statements of the Joint Commission standards or, if that is not the document used, a list of major functions being performed will suffice.
The first document in the Plan should be an executive summary that follows this basic outline and answers these questions. Remember that this document will probably not be more than three or four pages and each section will probably be not much more than two or three paragraphs.
What function is the plan defining? What areas are being covered? For example, let's assume that there is a large campus with numerous buildings. The healthcare facility owns all of the land but only ground leases to some of the other buildings. Are security functions done and are there limitations? Are services provided only to on-staff physician practices? And what services are performed? In this description, the goal is to define the limits of the area or the function under which the function works.
What is the criterion that is used for inclusion in this Plan? If the plan includes buildings or facilities that are not on the immediate campus, how they selected for services and who makes those decisions? If this is a great distance from the major function, what is the departments response and the limits to those responses? If someone else is perform a function, describe it here.
Does this plan relate to the mission statement of the organization? How does it do that? And what specific parts of the plan address what specific parts of the mission statement? Finally, how does this plan relate to the intent of the standards if Joint Commission standards are used?
What risks does the Plan address? Describe the specific threats that the plan is trying to address. What methods are used to identify risk? Examples may include reports from staff and the public, analysis of incidents using PPM 2000 Security Software, etc.
What are the outcomes the plan seeks to achieve? If the plan was able to completely carry out it's mission, what would the resultant atmosphere be on the campus.
How will the organization address the Joint Commission's intent and what activities are included in addressing those intents? List the key functions such as preventive verifiable patrol, response to crisis or to emergencies, disaster management, etc. What is the organization's commitment to outside training of both security staff and facility staff?
Specify the standards that are used to evaluate the plan's effectiveness. Define the appropriate levels of accomplishment. When is the function successful? For example, three fairly easy standards for the security function are stat calls (first officer on the scene within 120 seconds), if verifiable patrol is used( 95% of the strips or buttons, 95% of the time), and patrol mileage that makes the officers create an air of omnipresence (10 miles on dayshift, 15 miles on evening shift and 20 miles on midnights). The standard would be 90% compliance.
Who collects data to monitor components of the plan? How is it collected and how is it disseminated to the safety or environment of care committee, senior management, the board of directors, the medical staff, etc. Also describe what information is shared with whom. Senior management might see actual incident reports but safety might only see a summation of all incidents and a summation of all performance standards. The board report might speak to major incidents and trends identified.
Provide an overview of how staff is trained and regularly updated or tested on their knowledge of the plan. Especially useful is a list of all the staff knowledge tests that are done in the normal routine education process. Staff knowledge tests include testing whether staff knows how to use alarms or access control or specific emergency plans.
List all plan related training programs including aggressive behavior management, workplace violence prevention training, alarm response training, fire response, etc. As you list these, refer to the place where the program or outline can be found to make it easier on the surveyor.
In this section is a brief description of who is responsible for which aspects of the plan. Start at the Board or governing authority level and follow it all the way down to the employee level. Use just a small paragraph to describe the role each plays. Use a flowchart to follow an incident all the way through the system.
Define how problems will be identified, how they will be monitored until resolved and how they will be reported. Use a short description of the system used to make sure all problems are followed through the system. Finally, how will the plan be evaluated and will it be done annually? Who will do it and will an outside consultant do it? What will the selection criterion be for the outside consultant?
In this section will be kept the two major policies for this discipline. The first will be the enabling policy that takes the entire program and puts it into a policy format. This should be the same policy that appears in the organization's overall policy manual and should be approved by Safety, Environment of Care, Executive Committee and the Board.
The remainder of these sections are collections of policies placed in individual headings. This is done to provide an easier means to ensure consistency, to aid in training of all staff and to make them easier to update.
This is a collection of all policies that relate to access control in the organization. This includes all visitor policies, all access control policies and all traffic control policies that limit the ability of anyone to move through an organization or a building.
This is a collection of all policies that relate to how people are identified in the organization. Identity policies should include employees, physicians, patients, any special class of patients like fall prone or emergency patients and vendors. If there are policies that identify visitors or any special class of visitors, include them such as significant others, etc.
This collection of policies includes the ones that affect the security function in the organization and are facility-wide. These policies will include disaster policies, disciplinary policies, service policies such as battery jumps, etc.
This collection of policies includes policies that affect a particular department other than security and are limited in their effect. Several examples of this would include the one in Radiology that speaks to the security of portable cesium sources, policies that speak to MRI security and emergency responses to the magnet rooms and Emergency Department policies about the behavior of forensic officer such as prisoner guards, police officers, etc.
This collection of policies include s all departmental policies that affect the security department itself such as Codes of Ethics, uniform policies, policies concerning the transport of money, etc.
In each of the standards areas, store the monthly or bimonthly reports in this section and maintain them for at least one year. These should also be available for the security officers to review. Remember that a major focus of the Joint Commission is improvement. These statistics should not be hidden from the people that are supposed to improve.
Identify here all the staff knowledge tests that are conducted. Some examples include:
Abduction Codes - Test, not only infant & nursery staff, regular staff especially ones that work close to exits.
Communications - Test whether staff knows how to reach security and test whether they know how to reach the Director.
Community Relations Plan - Test whether staff knows how and when to reach the community relations department should the media try to get information from them.
Evacuations - Test whether staff in any particular knows how to evacuate their area on a limited basis and if the whole facility has to be done.
Panic Alarms - Test whether staff in areas that have panic alarms such as the Emergency Department, Business Office or Human Resources know how to use them and what they can expect from security.
"Stat" Calls - Test whether regular staff knows how to call a "stat" or emergency call, have them make the call and time the security officers once per quarter.
Also in this section actually store the results and recaps.
Finally, this section is for the storage of Vulnerability Assessments. The Joint Commission wants to see that the program is continuously under review. The general criteria for doing an assessment is for any incident that generates injury or any one that results in a loss over $500. Whatever the local organization sets as the standard should be followed. A sample format is included.
This final section contains a simple statement that is signed by the Chief Executive Officer or his/her designee that authorizes the plan. Without this document, the organization can find itself in very deep trouble if any certain emergency process was done without authority.
In addition to developing the plan to meet the requirements of the Joint Commission, it is extremely useful in mitigating litigation and preventing problems from occurring. If you are going to have a plan, make it a good one and don't shelve it. This document can be used to establish the competency testing program and develop the officers that work in the facility.
To Safety Committee
|Review Completed:||Recommendations taken to Committee:|
About the Author: Wayne C. Church is a Certified Protection Professional (CPP) and a Certified Healthcare Protection Administrator (CHPA). He is the Principal Partner in Wayne C. Church Speaking & Consulting in Phoenix, AZ. Wayne has over twenty years in security management and 16 of those years specific to healthcare, and is the author of numerous articles in many publications including Security Management magazine. Mr. Church's consulting services include surveying and creating security management plans.
Copyright © 1998, 1999 Wayne C. Church.All rights reserved. No portion of this article may be reproduced without the express written permission of the copyright holder. If you believe you may lawfully use a quotation, excerpt or paraphrase of this article under the Fair Use exception to copyright law, except as otherwise authorized by the author of the article, you must cite this article as a source for your work and include a link back to the original article from any online materials that incorporate or are derived from the content of this article.