Writing Dynamite Security Management Plans

Security Management Plan

The Security Management Plan is a major focus of any quality oriented security
program. The key to any business or portion of business that wants to be a
total quality effort is the written policy. The purpose of the policy is to
put in writing what the organization agrees should be the baseline for any
function. The next thing the policy does is it serves as a method of communicating
to everyone else in the organization what is that acceptable behavior or level
of service. This is, of course, assuming that the organization has the appropriate
structure for Total Quality Management or Continuous Quality Improvement.
The third thing the policy does it provides a document that establishes a
training standard for everyone that needs to perform a particular function
or service level.

The purpose of describing the format of the Security Management Plan is to attempt to establish a standard as to format. It would literally be impossible to recommend any sort of what a Plan should include because of the major differences in organizations but the format can be somewhat standardized. The format used here is based on a document, first published in 1994, called the Management Plan Outline. This outline is designed to be used in the entire Environment of Care selection of disciplines as well by following the basic concepts.

Clearly, whether the format is used in a multi-facility organization or in
a single facility organization, the format across that entity should be the
same. The reason this should be a major focus is because it will show that
people are communicating with one another. If there are several different
formats across a single organization it would show that people are not communicating
with one another. While I am speaking primarily to healthcare professionals
under Joint Commission Survey requirements. This should also be the format
used by any organization.

The format discussed here is structured to be provided in a three ring binder
using tabs either 1- or if using letters A-. The actual structure of the book
should follow the intent statements of the Joint Commission standards or,
if that is not the document used, a list of major functions being performed
will suffice.

The first document in the Plan should be an executive summary that follows
this basic outline and answers these questions. Remember that this document
will probably not be more than three or four pages and each section will probably
be not much more than two or three paragraphs.

Section A -- Executive Summary

Scope of the Plan

What function is the plan defining? What areas are being covered? For example,
let's assume that there is a large campus with numerous buildings. The healthcare
facility owns all of the land but only ground leases to some of the other
buildings. Are security functions done and are there limitations? Are services
provided only to on-staff physician practices? And what services are performed?
In this description, the goal is to define the limits of the area or the
function under which the function works.

What is the criterion that is used for inclusion in this Plan? If the plan
includes buildings or facilities that are not on the immediate campus, how
they selected for services and who makes those decisions? If this is a great
distance from the major function, what is the departments response and the
limits to those responses? If someone else is perform a function, describe
it here.

Does this plan relate to the mission statement of the organization? How
does it do that? And what specific parts of the plan address what specific
parts of the mission statement? Finally, how does this plan relate to the
intent of the standards if Joint Commission standards are used?

Statement of Need

What risks does the Plan address? Describe the specific threats that the
plan is trying to address. What methods are used to identify risk? Examples
may include reports from staff and the public, analysis of incidents using PPM 2000 Security
, etc.

Objectives of the Plan

What are the outcomes the plan seeks to achieve? If the plan was able to
completely carry out it's mission, what would the resultant atmosphere be
on the campus.

Approach Overview

How will the organization address the Joint Commission's intent and what
activities are included in addressing those intents? List the key functions
such as preventive verifiable patrol, response to crisis or to emergencies,
disaster management, etc. What is the organization's commitment to outside
training of both security staff and facility staff?

Standards of Performance

Specify the standards that are used to evaluate the plan's effectiveness.
Define the appropriate levels of accomplishment. When is the function successful?
For example, three fairly easy standards for the security function are stat
calls (first officer on the scene within 120 seconds), if verifiable patrol
is used( 95% of the strips or buttons, 95% of the time), and patrol mileage
that makes the officers create an air of omnipresence (10 miles on dayshift,
15 miles on evening shift and 20 miles on midnights). The standard would
be 90% compliance.

Information Gathering and Reporting

Who collects data to monitor components of the plan? How is it collected
and how is it disseminated to the safety or environment of care committee,
senior management, the board of directors, the medical staff, etc. Also
describe what information is shared with whom. Senior management might see
actual incident reports but safety might only see a summation of all incidents
and a summation of all performance standards. The board report might speak
to major incidents and trends identified.

Orientation and Training Programs

Provide an overview of how staff is trained and regularly updated or tested
on their knowledge of the plan. Especially useful is a list of all the staff
knowledge tests that are done in the normal routine education process. Staff
knowledge tests include testing whether staff knows how to use alarms or
access control or specific emergency plans.

List all plan related training programs including aggressive behavior management,
workplace violence prevention training, alarm response training, fire response,
etc. As you list these, refer to the place where the program or outline
can be found to make it easier on the surveyor.

Organization Roles and Responsibilities

In this section is a brief description of who is responsible for which
aspects of the plan. Start at the Board or governing authority level and
follow it all the way down to the employee level. Use just a small paragraph
to describe the role each plays. Use a flowchart to follow an incident all
the way through the system.

Define how problems will be identified, how they will be monitored until
resolved and how they will be reported. Use a short description of the system
used to make sure all problems are followed through the system. Finally,
how will the plan be evaluated and will it be done annually? Who will do
it and will an outside consultant do it? What will the selection criterion
be for the outside consultant?

Section B -- Policy Section

In this section will be kept the two major policies for this discipline.
The first will be the enabling policy that takes the entire program and
puts it into a policy format. This should be the same policy that appears
in the organization's overall policy manual and should be approved by Safety,
Environment of Care, Executive Committee and the Board.

The remainder of these sections are collections of policies placed in individual
headings. This is done to provide an easier means to ensure consistency,
to aid in training of all staff and to make them easier to update.

Section C -- Access Control Policies

This is a collection of all policies that relate to access control in the
organization. This includes all visitor policies, all access control policies
and all traffic control policies that limit the ability of anyone to move
through an organization or a building.

Section D -- Identification Policies

This is a collection of all policies that relate to how people are identified
in the organization. Identity policies should include employees, physicians,
patients, any special class of patients like fall prone or emergency patients
and vendors. If there are policies that identify visitors or any special
class of visitors, include them such as significant others, etc.

Section E -- Security-Related Policies

This collection of policies includes the ones that affect the security
function in the organization and are facility-wide. These policies will
include disaster policies, disciplinary policies, service policies such
as battery jumps, etc.

Section F -- Unit Security Policies

This collection of policies includes policies that affect a particular
department other than security and are limited in their effect. Several
examples of this would include the one in Radiology that speaks to the security
of portable cesium sources, policies that speak to MRI security and emergency
responses to the magnet rooms and Emergency Department policies about the
behavior of forensic officer such as prisoner guards, police officers, etc.

Section G -- Security Department Policies

This collection of policies include s all departmental policies that affect
the security department itself such as Codes of Ethics, uniform policies,
policies concerning the transport of money, etc.

Section H -- Documentation of Performance Standards

In each of the standards areas, store the monthly or bimonthly reports
in this section and maintain them for at least one year. These should also
be available for the security officers to review. Remember that a major
focus of the Joint Commission is improvement. These statistics should not
be hidden from the people that are supposed to improve.

Section I -- Documentation of Various Staff Tests

Identify here all the staff knowledge tests that are conducted. Some examples

  • Abduction Codes - Test, not only infant & nursery staff, regular
    staff especially ones that work close to exits.

  • Communications - Test whether staff knows how to reach security and
    test whether they know how to reach the Director.

  • Community Relations Plan - Test whether staff knows how and when to
    reach the community relations department should the media try to get information
    from them.

  • Evacuations - Test whether staff in any particular knows how to evacuate
    their area on a limited basis and if the whole facility has to be done.

  • Panic Alarms - Test whether staff in areas that have panic alarms such
    as the Emergency Department, Business Office or Human Resources know how
    to use them and what they can expect from security.

  • "Stat" Calls - Test whether regular staff knows how to call a "stat"
    or emergency call, have them make the call and time the security officers
    once per quarter.

Also in this section actually store the results and recaps.

Section J -- Documentation of Vulnerability Assessments

Finally, this section is for the storage of Vulnerability Assessments.
The Joint Commission wants to see that the program is continuously under
review. The general criteria for doing an assessment is for any incident
that generates injury or any one that results in a loss over $500. Whatever
the local organization sets as the standard should be followed. A
sample format is included

Section K -- Statement of Authority and Approval

This final section contains a simple statement that is signed by the Chief
Executive Officer or his/her designee that authorizes the plan. Without
this document, the organization can find itself in very deep trouble if
any certain emergency process was done without authority.

In addition to developing the plan to meet the requirements of the Joint
Commission, it is extremely useful in mitigating litigation and preventing
problems from occurring. If you are going to have a plan, make it a good one
and don't shelve it. This document can be used to establish the competency
testing program and develop the officers that work in the facility.

Vulnerability Assessment
Vulnerability assessments should be done as soon as practicable after each major incident or concern as expressed by staff. It may not necessary, in some cases, to take any action but the processes should be reviewed in any case. Store in Security Management Plan.

Incident Date: Time:
Incident Number: Reviewer:
Problem: Action:
To Safety Committee Conclusion/ Followup
Review Completed: Recommendations taken to Committee:
Copyright © 1999 Wayne C. Church, All rights reserved. No portion of this article may be reproduced without the express written permission of the copyright holder. If you use a quotation, excerpt or paraphrase of this article, except as otherwise authorized in writing by the author of the article you must cite this article as a source for your work and include a link back to the original article from any online materials that incorporate or are derived from the content of this article.

This article was last reviewed or amended on Jan 17, 2015.