Strategy is not static

The latter should start with a look at the governance and administrative structure. For the purposes of this exercise let’s work with assumptions: we will assume the municipality has a governance structure but wishes to improve it or does not have one due to fiscal restraint.

We had reviewed what possibly could be construed as an optimal setup i.e. Emergency, Security and Business continuity all under the umbrella of Enterprise Risk Management (ERM).

Let’s assume that the security section/division is led by one or more staff. Our next step would be to define all the deliverables that would support our subsequent stages. The three major levels we would look at are: strategic (why), tactical (what), then finally the operational layer (how), each resulting in a working document. The associated document for an organizational security policy could be a “security master plan.” Whatever we choose to call it, it should define the strategic aims. It could be one page long or 20 — what is essential is that it establishes not only the overall objectives against which progress will be gauged but would support the deployment of future security measures within the approved overall direction. To move from a purely theoretical level and put some meat on these statements we need to introduce international standards and more conceptual models.

While not municipal security focused, both ISO 31000 (Risk Management) and ASIS International SPC.1.2009 on organizational resilience introduce a study of risk in a more comprehensive way. The one standard that could be construed as municipally oriented, since it was adopted by the American Water Wastewater Association (AWWA), is the RAMCAP 2010 Risk and Resilience Standard. It provides prescriptive steps to deal with a full spectrum of hazards. “Reslience” is the one common theme. It helps security move from the proverbial ”guards, gates and guns” to a function embedded in the management of an organization. Applied to the municipal environment, it provides the flexibility to adopt solutions applied to different risk exposures.

Now, how should we apply any of these or portions to establish strategic security objectives? Resilience could be one of a number of strategic objectives which we could use at two levels: high for critical infrastructure and lower for other assets. An example would be, if public transit operations were to be disrupted, we would first recover by going into a holiday mode for (insert number) weeks and resume full operations after that.

Next we would need two more conceptual models that would help us define objectives more clearly: Security Situational Awareness (SSA) and Mission Criticality (MC). While they are primarily designed to establish the tactical level guidelines they should be used to define strategic objectives. They could be used to provide five levels of rating. An example would be: “For our operations and assets with a MC of 4, we would aim at a SSA of 4.”

The process of building our strategic statement is not a linear one. It requires a feedback loop whereby we would assess risk and vulnerability for various assets and test our findings to conclude which approach would be acceptable (think fiscal constraints) to Regional or City council. Needless to say that just bluntly applying standards would not help in obtaining a broad consensus.

Mel Gedruj, OAA, CSPM is an Ontario Licensed Architect and Certified Security project manager specializing in municipal security management planning.